Link between NSA and Regin cyberespionage malware becomes clearer
Keylogging malware that may have been used by the NSA shares signficant portions of code with a component of Regin, a sophisticated platform that has been used to spy on businesses, government institutions and private individuals for years.
The keylogger program, likely part of an attack framework used by the U.S. National Security Agency and its intelligence partners, is dubbed QWERTY and was among the files that former NSA contractor Edward Snowden leaked to journalists. It was released by German news magazine Der Spiegel on Jan. 17 along with a larger collection of secret documents about the malware capabilities of the NSA and the other Five Eyes partnersthe intelligence agencies of the U.K., Canada, Australia and New Zealand.
Weve obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin, malware researchers from antivirus firm Kaspersky Lab said Tuesday in a blog post. Looking at the code closely, we conclude that the QWERTY malware is identical in functionality to the Regin 50251 plugin.
Moreover, the Kaspersky researchers found that both QWERTY and the 50251 plug-in depend on a different module of the Regin platform identified as 50225 which handles kernel-mode hooking. This component allows the malware to run in the highest privileged area of the operating systemthe kernel.
http://www.pcworld.com/article/2876112/link-between-nsa-and-regin-cyberespionage-malware-becomes-clearer.html