Experts at Kaspersky Lab compared the Regin module 50251 and the “Qwerty” keylogger discovering that they share part of the source code and functionality.

Malware researchers at Kaspersky Lab have uncovered a link between the Regin malware platform and the attack platform cited in the last collection of document published by Edward Snowden to Der Spiegel magazine. The experts have discovered significant similarities between the source code of Regin malware and the one of a keylogger called QWERTY and alleged used by Five Eyes Intelligence.

The Regin malware platform was disclosed in late November, it is considered by security experts, one of the most advanced cyber espionage tools. Researchers speculated that Regin shows a level of complexity greater than Flame and Duqu. The Regin malware is used by threat actors to exfiltrate sensitive data and secrets from government agencies, banks, GSM telecom network operators and research institutions.

The researchers discovered a shared code and functionality between the two malicious agents and considering the high complexity of the Regin malware platform, they concluded that developers have used the same platform or belong to the same team. Kaspersky researchers Raiu and Soumenkov confirmed that the QWERTY malware is identical in functionality to a specific Regin plugin.

“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” wrote Kaspersky Lab researchers Costin Raiu and Igor Soumenkov in a report published on the Securelist blog.

The new collection of document examined by Der Spiegel magazine revealed that the NSA is now preparing for future dominance in cyberspace with the support of its allies, the FiveEye Intelligence is allegedly working to develop new offensive Internet-based capabilities that allow it to compromise critical computer networks of its adversaries.

The new archive leaked by Edward Snowden documents includes an overview of the malware platform, codenamed WARRIORPRIDE, which includes the QWERTY module used by the authors to log keystrokes from compromised Windows machines.

The Der Spiegel magazine confirmed that the WARRIORPRIDE malware is likely several years old and has likely already been replaced. QWERTY is composed of a core driver called QWERTYKM, that was designed to hook Windows keyboard manager and the QWERTYLP library, which logs user’s activity.

“Its structure is really simple. It’s made of a core component called QwertyKM, a driver that interfaces directly with Windows’ keyboard manager, and a QwertyLP library which interacts with the driver to retrieve the keys pressed by the user and keep track of them in a file. QWERTY is composed of the following binary files: • 20120.dll • 20121.dll • 20123.sys” is reported in one of the document publicly disclosed by the news agency.

20123.sys is the kernel mode component of the QWERTY keylogger that was developed starting from a plug-in called 50251 found in a Regin module.

q1 q2

The above images report side-by-side comparisons that demonstrate source code used by Regin and QWERTY  are quite identical. The researchers said that one piece of code in particular references plug-ins of the Regin platform and is used in QWERTY and its Regin counterpart.

“Most of the “Qwerty” components call plugins from the same pack (with plugin numbers 20121 – 20123), however, there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the “Qwerty” 20123 module and the Regin’s 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin’s plugin 50225 is reponsible for kernel-mode hooking.” continues the Securelist blog post.

The experts that collaborated with Der Spiegel in the analysis of the binary files revealed that numerous components and libraries revealed a possible link between the WARRIORPRIDE platform and the Australian Signals Directorate, which is the Aussie government intelligence agency.

The researchers at Kaspersky Lab have no doubts, the QWERTY malware is a plugin designed to work as part of the Regin platform.

“This is solid proof that the QWERTY plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,” Raiu and Soumenkov wrote. “As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules,” they also wrote. “They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.”

Pierluigi Paganini