Vol. 1 No. 1 (2015): Proceedings of Botconf 2015
Conference proceedings

Malware Instrumentation Application to Regin Analysis

Matthieu Kaczmarek
Google Mandiant

Published 2015-12-21

How to Cite

Kaczmarek, M. (2015). Malware Instrumentation Application to Regin Analysis. The Journal on Cybercrime and Digital Investigations, 1(1), 1-12. https://doi.org/10.18464/cybin.v1i1.2

Download Citation


The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering.

An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware's own code without the need to program an analysis toolkit.

As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.


  1. Symantec Security Response, “Regin: Top-tier espionage tool enables stealthy surveillance,” https://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/regin-analysis.pdf, 2014.
  2. Kaspersky Lab Report, “The regin platform nation-state ownage of gsm networks,” https://securelist.com/files/2014/11/Kaspersky Lab whitepaper Regin platform eng.pdf, 2014.
  3. Omer Coskun, “Why nation-state malwares target telco networks,” https://www.slideshare.net/merCokun1/defcon23-why-nationstatemalwaretargettelcoomercoskun-51440112, 2015.
  4. Paul Rascagneres and Eddy Willems, “Regin, an old but sophisticated `cyber espionage toolkit platform,” https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html, 2014.
  5. EmergingThreats, “Regin rules (requries apr module) and flash detection updates,” https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit.rules.
  6. Paul Ducklin, “Do terrorists use spam to shroud their secrets?” https://nakedsecurity.sophos.com/2015/01/19/do-terrorists-use-spam-to-shroud-their-secrets, 2014.