QWERTY keylogger claimed to link Regin malware to NSA

News by Vaughan O'Grady

QWERTY module from Snowden linked to Regin, strengthening case for NSA origin.

The ongoing Regin plugin for malware story has taken a new twist in recent days with the publication in German news magazine Der Spiegel of an article drawing on documents supplied by Edward Snowden.

The Spiegel piece included a copy of a malicious program codenamed QWERTY that came from the Snowden archive. IT security company Kaspersky has compared the code with malware programs it has on file and has suggested that QWERTY is the keylogger-module from Regin. In a recent blog post, Kasperksy noted that the QWERTY keylogger “doesn't function as a stand-alone module,” like Hopscotch and Legspin, and that it “relies on kernel-hooking functions which are provided by the Regin module 50225.”

The complexity of the Regin platform and the limited likelihood that it can be duplicated by somebody who has no access to its source codes, has convinced Kaspersky that the QWERTY malware developers and the Regin developers are the same or working together. In Kaspersky's view this means NSA and other intelligence agencies around the globe that are part of the Five Eyes Alliance are the most likely culprits.

Sarb Sembhi, a director with Storm Guidance, and a leading light in ISACA, the not-for-profit IT security association, points out that Kaspersky is not necessarily alone in linking QWERTY and Regin. Various pieces of information collated over the years, some of which may not have seemed immediately significant, have come together recently and now “there seems to be a direct link suggesting that QWERTY is only a small part of the framework Regin belongs to.”

But QWERTY alone is not Regin, and the problem is that not only have all its fellow Regin components not become apparent yet but some of them are able to change or mask the others. Thus, says Sembhi, “Regin doesn't stay the same; it's continually changing.”

The Kaspersky finding is therefore valuable but that still doesn't solve the problem of identifying all the components that make up Regin. However, it may help security groups to deal with it. As Clive Longbottom, founder of research and analysis company Quocirca, says, “If the QWERTY keylogger is a core part of the whole package, being able to pattern match activity across what is already known about Regin and what QWERTY does can make it easier to identify a possible malicious action, and so to do something about it: isolation, if not remediation.”

More worrying perhaps is the fact that, as Longbottom points out, “If Regin did originate in the NSA, then the code has now escaped into the wild, as the screen comparisons do not indicate reverse engineering.”

Sembhi notes that other extremely sophisticated malware written — or thought to be written — by state players has in the past been adapted for less state-directed purposes once this has happened. “Criminals will use those techniques — if not the exact same code — to develop and expand on for criminal purposes,” he says. And Longbottom adds: “There are plenty of dark web outlets where code stubs can be picked up for use in a new threat.”

There is one advantage, however, Longbottom says. “Reuse does make identification easier for the security companies; it is unlikely that this reuse would be by an advanced blackhat group aiming for some large commercial or espionage capability.  It's far more likely to be more a single or group of chancers looking to make a quick buck.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews