Regin (also known as Prax or QWERTY) is a sophisticated

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

and hacking toolkit used by United States'

National Security Agency The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

(NSA) and its British counterpart, the

Government Communications Headquarters Government Communications Headquarters (GCHQ) is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the United Kingdom. Primari ...

(GCHQ). It was first publicly revealed by

Kaspersky Lab Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky a ...

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

, and

The Intercept ''The Intercept'' is an American left-wing nonprofit news organization that publishes articles and podcasts online. ''The Intercept'' has published in English since its founding in 2014, and in Portuguese since the 2016 launch of the Brazilia ...

in November 2014. The malware targets specific users of

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

-based computers and has been linked to the US intelligence-gathering agency

NSA The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...

and its British counterpart, the

GCHQ Government Communications Headquarters (GCHQ) is an intelligence and security organisation responsible for providing signals intelligence (SIGINT) and information assurance (IA) to the government and armed forces of the United Kingdom. Primar ...

. ''The Intercept'' provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider,

Belgacom The Proximus Group is a provider of digital services and communication solutions operating in Belgium and international markets. In Belgium, the company offers its main products and services under the brands Proximus, Scarlet, and Mobile Viki ...

. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. (The name Regin is first found on the

VirusTotal VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google. Viru ...

website on 9 March 2011.) Among computers infected worldwide by Regin, 28 percent were in

Russia Russia, or the Russian Federation, is a country spanning Eastern Europe and North Asia. It is the list of countries and dependencies by area, largest country in the world, and extends across Time in Russia, eleven time zones, sharing Borders ...

, 24 percent in

Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in West Asia. Located in the centre of the Middle East, it covers the bulk of the Arabian Peninsula and has a land area of about , making it the List of Asian countries ...

, 9 percent each in

Mexico Mexico, officially the United Mexican States, is a country in North America. It is the northernmost country in Latin America, and borders the United States to the north, and Guatemala and Belize to the southeast; while having maritime boundar ...

and

Ireland Ireland (, ; ; Ulster Scots dialect, Ulster-Scots: ) is an island in the North Atlantic Ocean, in Northwestern Europe. Geopolitically, the island is divided between the Republic of Ireland (officially Names of the Irish state, named Irelan ...

, and 5 percent in each of

India India, officially the Republic of India, is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area; the List of countries by population (United Nations), most populous country since ...

Afghanistan Afghanistan, officially the Islamic Emirate of Afghanistan, is a landlocked country located at the crossroads of Central Asia and South Asia. It is bordered by Pakistan to the Durand Line, east and south, Iran to the Afghanistan–Iran borde ...

Iran Iran, officially the Islamic Republic of Iran (IRI) and also known as Persia, is a country in West Asia. It borders Iraq to the west, Turkey, Azerbaijan, and Armenia to the northwest, the Caspian Sea to the north, Turkmenistan to the nort ...

Belgium Belgium, officially the Kingdom of Belgium, is a country in Northwestern Europe. Situated in a coastal lowland region known as the Low Countries, it is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeas ...

Austria Austria, formally the Republic of Austria, is a landlocked country in Central Europe, lying in the Eastern Alps. It is a federation of nine Federal states of Austria, states, of which the capital Vienna is the List of largest cities in Aust ...

, and

Pakistan Pakistan, officially the Islamic Republic of Pakistan, is a country in South Asia. It is the List of countries and dependencies by population, fifth-most populous country, with a population of over 241.5 million, having the Islam by country# ...

Kaspersky Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and A ...

has said the malware's main victims are private individuals, small businesses and telecom companies. Regin has been compared to

Stuxnet Stuxnet is a Malware, malicious computer worm first uncovered on June 17, 2010, and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsibl ...

and is thought to have been developed by "well-resourced teams of developers", possibly a

Western Western may refer to: Places *Western, Nebraska, a village in the US *Western, New York, a town in the US *Western Creek, Tasmania, a locality in Australia *Western Junction, Tasmania, a locality in Australia *Western world, countries that id ...

government, as a targeted multi-purpose data collection tool. According to ''

Die Welt (, ) is a German national daily newspaper, published as a broadsheet by Axel Springer SE. is the flagship newspaper of the Axel Springer publishing group and it is considered a newspaper of record in Germany. Its leading competitors are the ...

'', security experts at

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

gave it the name "Regin" in 2011, after the cunning Norse dwarf

Regin In Norse mythology, Reginn (; often anglicized as Regin or Regan) is a son of Hreiðmarr and the foster father of Sigurð. His brothers are Fáfnir and Ótr. Attestations Völsunga saga When Loki mistakenly kills Ótr, Hreiðmarr demands to ...

Operation

Regin uses a modular approach allowing it to load features that exactly fit the target, enabling customized spying. The design makes it highly suited for persistent, long-term mass surveillance operations against targets. Regin is stealthy and does not store multiple files on the infected system; instead it uses its own encrypted

virtual file system A virtual file system (VFS) or virtual filesystem switch is an abstract layer on top of a more concrete file system. The purpose of a VFS is to allow client applications to access different types of concrete file systems in a uniform way. A VFS ...

(EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. The EVFS employs a variant encryption of the rarely used RC5 cipher. Regin communicates over the Internet using

ICMP The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when com ...

ping Ping may refer to: Arts and entertainment Fictional characters * Ping, a domesticated Chinese duck in the illustrated book '' The Story about Ping'', first published in 1933 * Ping, a minor character in ''Seinfeld'', an NBC sitcom * Pingg, a ...

, commands embedded in

HTTP cookies HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web br ...

and custom TCP and UDP protocols with a

command and control server A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conne ...

which can control operations, upload additional

payloads Payload is the object or the entity that is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of t ...

, etc.

Identification and naming

Symantec says that both it and Kaspersky identified the malware as ''Backdoor.Regin''. Most antivirus programs, including Kaspersky, (as of October 2015) do NOT identify the sample of Regin released by The Intercept as malware. On 9 March 2011 Microsoft added related entries to its Malware Encyclopedia; later two more variants, ''Regin.B'' and ''Regin.C'' were added. Microsoft appears to call the 64-bit variants of Regin ''Prax.A'' and ''Prax.B''. The Microsoft entries do not have any technical information. Both Kaspersky and Symantec have published

white paper A white paper is a report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. Since the 199 ...

s with information they learned about the malware.

Known attacks and originator of malware

German news magazine ''

Der Spiegel (, , stylized in all caps) is a German weekly news magazine published in Hamburg. With a weekly circulation of about 724,000 copies in 2022, it is one of the largest such publications in Europe. It was founded in 1947 by John Seymour Chaloner ...

'' reported in June 2013 that the US

intelligence Intelligence has been defined in many ways: the capacity for abstraction, logic, understanding, self-awareness, learning, emotional knowledge, reasoning, planning, creativity, critical thinking, and problem-solving. It can be described as t ...

(NSA) had conducted online surveillance on both

European Union The European Union (EU) is a supranational union, supranational political union, political and economic union of Member state of the European Union, member states that are Geography of the European Union, located primarily in Europe. The u ...

(EU) citizens and EU institutions. The information derives from secret documents obtained by former NSA worker

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is a former National Security Agency (NSA) intelligence contractor and whistleblower who leaked classified documents revealing the existence of global surveillance programs. Born in 1983 in Elizabeth ...

. Both ''Der Spiegel'' and ''

'' quote a secret 2010 NSA document stating that it made

cyberattacks A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

that year, without specifying the malware used, against the EU diplomatic representations in

Washington, D.C. Washington, D.C., formally the District of Columbia and commonly known as Washington or D.C., is the capital city and federal district of the United States. The city is on the Potomac River, across from Virginia, and shares land borders with ...

and its representations to the

United Nations The United Nations (UN) is the Earth, global intergovernmental organization established by the signing of the Charter of the United Nations, UN Charter on 26 June 1945 with the stated purpose of maintaining international peace and internationa ...

. Signs identifying the software used as Regin were found by investigators on infected machines. ''The Intercept'' reported that, in 2013, the UK's

attacked

, Belgium's largest telecommunications company. These attacks may have led to Regin coming to the attention of security companies. Based on analysis done by IT security firm Fox IT, ''Der Spiegel'' reported in November 2014, that Regin is a tool of the UK and USA intelligence agencies. Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the

NSA ANT catalog The ANT catalog (or TAO catalog) is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine ''Der Spiegel'' in December 2013. Forty-nine catalog ...

under the names "Straitbizarre" and "Unitedrake". Fox IT did not name the customer, but ''Der Spiegel'' mentioned that among the customers of Fox IT is Belgacom and cited the head of Fox IT, Ronald Prins, who stated that they are not allowed to speak about what they found in the Belgacom network.Christian Stöcker, Marcel Rosenbach " Spionage-Software: Super-Trojaner Regin ist eine NSA-Geheimwaffe" Der Spiegel, November 25, 2014
/ref> In December 2014, German newspaper ''

Bild ''Bild'' (, ) or ''Bild-Zeitung'' (, ) is a German tabloid newspaper published by Axel Springer SE. The paper is published from Monday to Saturday; on Sundays, its sister paper '' Bild am Sonntag'' () is published instead, which has a differen ...

'' reported that Regin was found on a

USB flash drive A flash drive (also thumb drive, memory stick, and pen drive/pendrive) is a data storage device that includes flash memory with an integrated USB interface. A typical USB drive is removable, rewritable, and smaller than an optical disc, and u ...

used by a staff member of Chancellor

Angela Merkel Angela Dorothea Merkel (; ; born 17 July 1954) is a German retired politician who served as Chancellor of Germany from 2005 to 2021. She is the only woman to have held the office. She was Leader of the Opposition from 2002 to 2005 and Leade ...

. Checks of all high-security laptops in the

German Chancellery The Federal Chancellery (, ) is a Germany, German Federal agency (Germany), federal agency serving the executive office of the chancellor of Germany, the head of the Government of Germany, federal government, currently Friedrich Merz. The Chancel ...

revealed no additional infections. Regin was used in October and November 2018 to hack the research and development unit of

Yandex Yandex LLC ( rus, Яндекс, r=Yandeks, p=ˈjandəks) is a Russian technology company that provides Internet-related products and services including a web browser, search engine, cloud computing, web mapping, online food ordering, streaming ...

References

{{reflist, 30em} Rootkits Computer access control Privilege escalation exploits Exploit-based worms 2014 in computing Hacking in the 2010s Spyware used by governments Cybercrime in India

Operation

Identification and naming

Known attacks and originator of malware

See also

References