McAfee Customers Protected from Regin Malware Since 2011

Protecting customers take precedence over seeking headlines – this was the title of a recent blog by our very own Christiaan Beek into the priorities of the team.  Yet, within 72 hours we were awoken with news of a recently discovered espionage campaign using a toolkit under the name of Regin.

McAfee is aware of the recent research papers on Regin. Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on active computer processes. McAfee products detected and protected against Regin malware samples mentioned in the report since 2011.

Indeed based on the extensive work conducted by the team since we became aware of it the threat a few years ago we can confirm that in addition to the filenames provided, the following are also used by the toolkit:

  • Ser8UART.sys
  • abiosdsk.sys
  • floppy.sys
  • pcidump.sys
  • pciport.sys
  • qic117.sys

One particularly interesting element is the associated timestamps that can be used to determine how long the threat has been in existence.  Indeed as has been reported elsewhere[i] it was likely in existence as far back in 2006 but upon closer inspection likely considerably earlier than this date.

In terms of the malware itself the driver file has encrypted data as highlighted below:

Image 1

Decryption is achieved simply through XOR with key:

Image 2

The important realization here is that this threat is not ‘new’ to us (or most of the security industry for that matter).   We consider customer security and NDA/confidentiality agreements to be of the uptmost and critical importance.  Our role as a trusted partner far outweighs any need or desire to ‘grab’ headlines.

We have ~40+ samples related to this threat and whilst like the rest of industry the absence of the original, stage 1, dropper limits the ability to fully dissect and analyze in proper running context we will continue to regularly update our 2011 understanding of the malware.  Indeed this applies to all other threats that we continue to identify.

Basic IMPHash relationship diagram below:

Image 3

 

As additional details emerge, we will continue to communicate across our standard channels.

[i] http://www.computerworld.com/article/2851513/traces-of-regin-malware-may-date-back-to-2006.html

The post McAfee Customers Protected from Regin Malware Since 2011 appeared first on McAfee.