Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150911-276-R
egin
-Stealth
y
Surveillance
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 11 Se
p
tember 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report is a fairly high-level overview of Regin, a very sophisticated malware sample
that has been observed in operation since 2013. There are some indications that the malware has
been in use since as early as 2008, but most agree that the current iteration of Regin dates to
about 2013. Regin appears to be focused on target surveillance and data collection. The most
striking aspect of Regin is its modular architecture, which affords a high degree of flexibility and
tailoring of attack capabilities to specific targets. Another impressive aspect of Regin is its
stealthiness, its ability to hide itself from discovery and portions of the attack are memory-
resident only.
(S//NF) While the report is fairly comprehensive in its overview of Regin capabilities, there are
no implementation details contained in the report. For example, the report states there are several
device drivers loaded as part of the infection routine but there is no discussion in the report of
driver signing (we assume the bad actors have valid certs, but it’s not clear from the report). The
report mentions that Stage 4 modules inject code into services.exe but no details are given
regarding the methods or APIs used for code injection. The report states that the Stage 0 dropper
may exist only in memory but does not describe the methods or APIs used to implement the
memory-only routines. The report is well-written and provides a high-level view of Regin, but no
implementation details sufficient to make PoC recommendations.
(S//NF) Regin has a six-stage architecture:
Stage 0 – Dropper that is responsible for installing the Stage 1 device driver. The Stage 0
Dropper is believed to be a memory-only component.
Stage 1 – A support module that facilitates the installation of the Stage 2 kernel mode driver.
The Stage 1 installer reads and executes the Stage 2 driver installation code from NTFS
extended attributes or registry key blobs.
Stage 2 – A kernel driver that extracts, installs, and runs Stage 3. Stage 2 is encrypted within
an NTFS extended attribute or registry blob. Stage 2 has the capability to provide rootkit
functionality for Stage 1, no further detail on this rootkit capability is provided in the report.
Stage 2 can also monitor the status of the attack by dropping a file that records the status of
the attack in the first two bytes of the dropped file, one byte indicating if the implant is
running or not and the other byte indicating which instance number is running.
Stage 3 – A kernel-mode .DLL that provides a number of critical functionality such as
overall orchestration of the attack, management of a virtual file system,
compression/decompression routines, encryption/decryption routines, IPC, network comms,
and API hooking engine. No details of these capabilities are provided in the report, only that
they exist.
Stage 4 - User-mode and kernel payloads. The user-mode payloads include functionality
such as virtual file system access, networking, event logging, compression/decompression,
encryption/decryption, custom RPC, peer node management, UCP/TCP transport, Winlogon
autostart, Encrypted Volume and File System (EVFS) handling. The kernel payloads include
port blocking, packet filtering, DLL loading, PE loading, and rootkit functions. No details on
the implementation of these capabilities are provided in the report.