Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150911-276-R
egin
-Stealth
y
Surveillance
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 2 11 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
Stage 5 The main Regin payload functionality is contained in this stage. The files for Stage
5 are injected into services.exe by Stage 4 (no further detail on the injection method or APIs
used is provided in the report). Stage 5 files are actually EVFS containers that contain other
files. The functionality contained in Stage 5 depends on the target, Regin’s modularity allows
for such fine-grained tailoring to targets. Some of the functionality observed includes
network traffic sniffing, exfiltrating data through various channels and protocols, password
harvesting, collecting process and memory information, low-level forensics (such as
recovering deleted files), and enumerating IIS servers. Again, no implementation details of
any of these capabilities is provided.
(S//NF) Because of the lack of implementation details on any of the capabilities mentioned in
this report on Regin, no PoCs are recommended.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.
3.0 (U) Identification of Affected Applications
(U) Windows and Linux.
4.0 (U) Related Techniques
(S//NF) Dropper, installer, rootkit, RAT, stealth.
5.0 (U) Configurable Parameters
(S//NF) Varied depending on tailored attack capability and target.
6.0 (U) Exploitation Method and Vectors
(S//NF) No exploitation methods are mentioned in this report. The only attack vector mentioned
was a possible Yahoo social media vector. Regin’s attack vector is unknown at this time.
7.0 (U) Caveats
(U) None.
8.0 (U) Risks
(S//NF) Not applicable as no PoCs are recommended.
9.0 (U) Recommendations
(S//NF) No PoCs are recommended.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh