This week it was announced that security researchers discovered a connection between the nefarious Regin malware strain and the documents released by whistleblower Edward Snowden regarding the U.S. National Security Agency.
Earlier this month, German newspaper Der Spiegel published an article detailing how the NSA, the U.K.'s GCHQ and intelligence agencies from a number of other U.S. allies were allegedly creating Internet-based offensive capabilities that would be able to attack computer networks controlling the critical infrastructure within enemy countries.
Along with the article the newspaper also published the source code for the malicious software known as QWERTY. The program is a keylogger supposedly used for the cyber espionage efforts of the U.S. and others. The plug-in built for the QWERTY keylogger was created for the modular WARRIORPRIDE malware framework which was revealed after Snowden exposed confidential NSA documents. It is a simple plug-in designed to intercept any keys pressed and record them to be analyzed later.
In comparison, the Regin malware, which was discovered by Symantec researchers in 2014, has been said to "display a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers and private individuals." It is believed that the backdoor Trojan has been in use since 2008, but was only discovered last year due to its heightened ability to evade detection.
Once the QWERTY source code was made available, researchers with Kaspersky Labs Costin Raiu and Igor Soumenkov analyzed the files for both pieces of malicious software and discovered that they are strikingly similar to one another.
"Looking at the code closely, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin," said the pair.
Similarities found between the codes
After analyzing the two types of malware, the Kaspersky researchers found that the QWERTY module pack has three binaries and accompanying configuration files. One such file known as 20123.sys, is also a part of the Regin module. According to Raiu and Soumenkov, the two programs share a major portion of the same source code, mainly pertaining to the function that accesses the system keyboard driver. Not only that, but the majority of the components from QWERTY use plug-ins from the same pack as Regin and one piece of code found in the QWERTY spyware kit references plug-ins found within the Regin platform.
Based on their analysis of the malicious software, the pair have concluded that QWERTY was designed as a plug-in that functions within the Regin platform. Instead of acting as a stand alone module, the QWERTY keylogger relies on kernel hooking functions provided by the Regin module.
"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," the duo said.
Defending against increasingly sophisticated malware
While the U.S. government using highly evasive malware to spy on adversaries may not seem like a big problem for businesses, the ability to conceal a dangerous piece of software within a more tame program should be concerning. Malicious software like Regin is designed to evade traditional antivirus techniques, making it especially dangerous. Most companies don't have the resources to hire dedicated IT staff to watch network activity around the clock, making the threat even larger.
In order to protect systems from threats capable of slipping by ordinary methods, companies must employ security information and event management services. Managed SIEM services monitor network activity 24/7 in order to detect any suspicious or anomalous behavior, identifying threats and recording the intrusion. This event data is then analyzed and used to create actionable defense information to protect enterprise systems, ensuring stronger defenses and better protected networks.