14 DAY TRIAL // A keylogging module that works with WARRIORPRIDE, a malware platform known to be used by the US National Security Agency (NSA), has been found to share a large chunk of source code with a component present in Regin malicious toolkit.
WARRIORPRIDE is not used by the NSA exclusively, as it appears to be shared by the intelligence agencies of the nations part of Five Eyes (the US, UK, Canada, Australia and New Zealand).
Plug-ins have been designed for the same platform
German newspaper Der Spiegel published on January 17 a new batch of secret NSA documents provided by whistleblower Edward Snowden, revealing a keystroke interception module called Qwerty, used by the intelligence agency with WARRIORPRIDE.
Security researchers at Kaspersky obtained a copy of the malware and identified file 20123.sys, a kernel mode of the keylogger; following analysis they made the connection with plug-in “50251.” “Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin,” they say in a blog post published on Tuesday.
The code shared by the two pieces is required by the function responsible for accessing the system keyboard driver. More than this, they found evidence that both Qwerty and 50251 components call the same plug-in, 50225, responsible for kernel-mode hooking in Regin malicious toolkit.
“This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225,” the researchers say.
Adding to evidence that both components function on the same platform is the fact that they include startup code present in all Regin plug-ins, along with their number as assigned within the platform.
Both tools are created by the same developers
The numbers assigned for the Qwerty component (20123) and the Regin plugin (50251) are different, but Kaspersky alleges that this could be due to the fact that multiple actors use them, an ID range being allocated for each of them in order to avoid interference with one another.
This would definitely fit the Five Eyes scenario, where the nations involved resort to the same platform and tools for their espionage activities.
“Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform. The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225,” say the researchers.
Among Regin's targets are telecommunication companies, government organizations and political entities to financial institutions, academia (research) and specific individuals.
Their conclusion about the Regin and Qwerty is clear: the same developers worked on both pieces as their complexity prevents duplication without access to the source code.
