Search This Blog

Wednesday, September 2, 2015

Symantec just proved Malware Management works with Regin update

I have blogged about Malware Management and Regin before and how it can improve your Information Security program, Malware Discovery, Active Defense efforts and improve your Malware Analysis. Take reports published by AV companies, IR Firms, Bloggers like 'Malware Must Die' and here of course, read them, pull out the artifacts, or IOC's if you must and apply them to all the above.

Symantec is aware of two distinct versions of Regin. Version 1.0 appears to have been used from at least 2008 to 2011. Version 2.0 has been used from 2013 onwards, though it may have possibly been used earlier

In the Fall of 2013 Symantec and others published details behind the Regin malware, see links below. Thanks to Symantec publishing an update in August 2015, "Regin: Top-tier espionage tool enables stealthy surveillance", they just proved if you had read the first Regin malware reports, you would have been well on your way to detecting any updates or similar behaviors if you were unfortunate enough to contract the malware disease known as Regin or similarly crafted malware.

You would already be watching for things like:
* New files being added to \Windows, \Windows\Fonts, \Windows\Cursors and \Windows\IME
* New files being added to \System32, \System32\Config and \System32\Drivers
* Auditing certain Registry Keys
* Auditing for files that have NTFS Extended Attributes
* Filename extensions
* Large Registry blobs (Size does matter)
* Software\Classes Keys for new entries
* See the report Appendix for more details

Several of the locations and techniques found in Regin I have seen in other APT and even some in commodity malware. So if you start reading these reports and taking the data and acting on it, you are in essence practicing Malware Management and improving your Malware Discovery, Active Defense and Information Security program. Not to mention if you analyze malware, you have a better idea of what to look for and where.

Early reports and Symantec's update to Regin:

Symantec Report on Regin

The Intercept article on Regin

Kaspersky report on Regin

F-Secure report on Regin

Happy Hunting everyone, Malware Management ROCKS!

#InfoSec #MalwareArchaeology