Source code reveals link between NSA and Regin cyberespionage malware - sublettandere

Keylogging malware that may have been used by the NSA shares signficant portions of code with a component part of Regin, a hi-tech platform that has been used to snoop connected businesses, government institutions and private individuals for years.

The keylogger program, verisimilar part of an onset framework utilized by the U.S. National Security Agency and its intelligence partners, is dubbed QWERTY and was among the files that other NSA contractor Edward Snowden leaked to journalists. It was released by German news magazine Der Spiegel connected Jan. 17 along with a larger collection of esoteric documents about the malware capabilities of the NSA and the another Five Eyes partners—the intelligence agencies of the U.K., Canada, Australia and New Zealand Islands.

"We've obtained a copy of the venomous files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin," malware researchers from antivirus firm Kaspersky Lab same Tuesday in a blog post. "Looking at the code nearly, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin."

Moreover, the Kaspersky researchers found that both QWERTY and the 50251 plug-in depend on a different mental faculty of the Regin platform identified as 50225 which handles kernel-mode hooking. This element allows the malware to run in the highest privileged area of the operating system—the kernel.

This is strong cogent evidence that QWERTY can only manoeuvre Eastern Samoa part of the Regin political platform, the Kaspersky researchers said. "Considering the extreme complexity of the Regin platform and runty take a chance that information technology can be duplicated past somebody without having access to its source code, we reason the QWERTY malware developers and the Regin developers are the unchanged or working together."

Der Spiegeleisen reported that QWERTY is in all likelihood a plug-in of a unified malware framework codenamed WARRIORPRIDE that is used by all Five Middle partners. This is supported references in the cypher to a dependency called WzowskiLib OR CNELib.

In a separate leaked document authored by the Communication theory Security Institution Canada, the Canadian counterpart of the National Security Agency, WARRIORPRIDE is represented American Samoa a flexible computer mesh exploitation (CNE) weapons platform that's an execution of the "WZOWSKI" Fin Eyes API (application programming interface).

sec

The text file also notes that WARRIORPRIDE is better-known under the code name DAREDEVIL at the GB Governing Communications Headquarters (GCHQ) and that the Five Eyes intelligence partners put up create and share plug-ins for it.

The newly revealed link between QWERTY and Regin suggests that the cyberespionage malware platform security department researchers call Regin is just about likely WARRIORPRIDE.

Roughly experts already suspected this based happening other clues. According to Kaspersky Laboratory, Regin was the malware program that infected the individualized computer of Belgian cryptographer Jean-Jacques Quisquater in 2022. That attack was linked to some other malware attack against Belgian telecommunications group Belgacom whose customers include the European Commission, the European Parliament and the European Council.

Der Spiegel reported in September 2022, settled along documents leaked by Snowden, that GCHQ was liable for the attack on Belgacom as part of a secret operation code-named Operation Socialist.

Ronald Prins, cobalt-founder of Confound-IT, a European nation security company hired to investigate the attack against Belgacom, told The Intercept in November that he was convinced Regin was used by British and American tidings services. The Tap also reported, citing anonymous sources, that the malware was used in attacks against the European Parliament.

An NSA spokeswoman said at the meter that the agency would not comment connected The Intercept's "speculation."

The beingness of Regin was first disclosed in Nov, when both Kaspersky Lab and Symantec published all-encompassing research document on IT. However, antivirus companies knew about the malware for at any rate a year prior to that and forensic tell apart suggests that the menace may have been active as out-of-the-way back as 2006.

Security researchers believe that Regin is comparable in sophistication to Stuxnet, the computer worm reportedly created by the U.S. and Sio that was misused to sabotage Islamic Republic of Iran's nuclear efforts by destroying uranium enrichment centrifuges.

However, unlike Stuxnet, Regin was mostly used for espionage, not sabotage. Symantec found around 100 Regin victims in 10 countries, generally in Russia and Kingdom of Saudi Arabia, but besides in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. The principal targets were telecom operators, government organizations, multi-national political bodies, financial institutions, inquiry centers and individuals involved in modern numerical and cryptographical research, according to Kaspersky Lab.

No brand-new infections with Regin have been found since mid-2022, said Costin Raiu, managing director of Kaspersky's global research and analysis team, via email Monday.

It's not clear whether the malware platform's authors are impermanent to completely replace information technology because IT has been unclothed or are just making significant changes to it.

"We believe it would be rattling difficult to replace the wholly Regin platform with something else," Raiu said. "Therefore, it is more likely IT will be modified and improved as an alternative of all replaced."

Source: https://www.pcworld.com/article/431516/link-between-nsa-and-regin-cyberespionage-malware-becomes-clearer.html

Posted by: sublettandere.blogspot.com

Share this post