The infamous Regin trojan is likely to have been developed by the NSA or one of its allies, after security experts found a number of similarities between it and code discovered amongst leaked Edward Snowden documents.
Earlier this month German newspaper Der Spiegel published details of a ‘new’ malicious program, QWERTY, which was mentioned in yet more documents leaked by NSA whistleblower Snowden.
In a blog post, Kaspersky Lab’s director of global research, Costin Raiu, and principal security researcher, Igor Soumenkov, explained their findings:
“We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the ‘QWERTY’ malware is identical in functionality to the Regin 50251 plugin.”
Although the researchers fell short of attributing the malware to Five Eyes security agencies, they do claim that QWERTY functions as the keylogger element of Regin.
Rather than operate as a standalone, QWERTY can only work via kernel hooking functions provided by the Regin module 50225.
“Considering the extreme complexity of the Regin platform and [the] little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” they wrote.
Other indications linking QWERTY to Five Eyes intelligence services are that it apparently includes numerous references to cricket – a sport virtually unheard of outside of Britain and its former colonies.
Regin was discovered back in November last year, when Symantec revealed its multi-stage architecture which brought to mind Stuxnet/Duqu, and its modular approach which was reminiscent of Flamer and Weevil.
Several capabilities had also been engineered into the malware to help it stay hidden, including encryption and anti-forensics tools.
Most victims were apparently in the Russian Federation (28%) and Saudi Arabia (24%).