Vol. 1 No 1 (2015): Proceedings of Botconf 2015
Conference proceedings

Malware Instrumentation Application to Regin Analysis

PDF (Anglais)
  • Matthieu Kaczmarek
Matthieu Kaczmarek
Google Mandiant

Publiée 2015-12-21

(c) Copyright Matthieu Kaczmarek (Author) 2015

Creative Commons License

Ce travail est disponible sous la licence Creative Commons Attribution 4.0 International .

Comment citer

Kaczmarek, M. (2015). Malware Instrumentation Application to Regin Analysis. Le Journal De La Cybercriminalité Et Des Investigations Numériques, 1(1), 1-12. https://doi.org/10.18464/cybin.v1i1.2

Télécharger la référence bibliographique

Résumé

The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering.

An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware's own code without the need to program an analysis toolkit.

As an application of the presented instrumentation, the underlying botnet architecture is analysed. Finally conclusions from different perspectives are provided: defense, attack and counter intelligence.

PDF (Anglais)

Références

  1. Symantec Security Response, “Regin: Top-tier espionage tool enables stealthy surveillance,” https://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/regin-analysis.pdf, 2014.
  2. Kaspersky Lab Report, “The regin platform nation-state ownage of gsm networks,” https://securelist.com/files/2014/11/Kaspersky Lab whitepaper Regin platform eng.pdf, 2014.
  3. Omer Coskun, “Why nation-state malwares target telco networks,” https://www.slideshare.net/merCokun1/defcon23-why-nationstatemalwaretargettelcoomercoskun-51440112, 2015.
  4. Paul Rascagneres and Eddy Willems, “Regin, an old but sophisticated `cyber espionage toolkit platform,” https://blog.gdatasoftware.com/blog/article/regin-an-old-but-sophisticated-cyber-espionage-toolkit-platform.html, 2014.
  5. EmergingThreats, “Regin rules (requries apr module) and flash detection updates,” https://github.com/EmergingThreats/et-luajit-scripts/blob/master/luajit.rules.
  6. Paul Ducklin, “Do terrorists use spam to shroud their secrets?” https://nakedsecurity.sophos.com/2015/01/19/do-terrorists-use-spam-to-shroud-their-secrets, 2014.