Introduction
First publicly disclosed in 2014 by security firms Symantec and Kaspersky Lab, Regin is a multi-stage cyber-attack platform engineered for long-term, stealthy intelligence-gathering operations. Regin’s architecture is defined by several key characteristics that underscore its focus on stealth and operational flexibility. It employs a complex, multi-stage loading process where each component, with the exception of the initial dropper, is encrypted and hidden, revealing little about the overall framework if discovered in isolation.
This modularity is a core feature, allowing its operators to deploy custom payloads tailored to specific targets. These payloads range from standard remote access trojans to specialized modules designed to monitor and control critical telecommunications infrastructure.
The C2 infrastructure utilizes multiple protocols including ICMP, HTTP/S, and custom TCP/UDP streams. Most notably, it establishes a peer-to-peer network of “communication drones” within a compromised environment, drastically minimizing detectable outbound traffic and allowing the operators to bridge air-gapped networks.
Perhaps its most unusual capability is its functionality for targeting Global System for Mobile Communications (GSM) networks. Regin possesses modules capable of compromising and controlling Base Station Controllers (BSCs), giving its operators the power to monitor and manipulate cellular communications.
This report provides a detailed technical dissection of the Regin platform, its architecture, network operations, payload capabilities, and the evidence supporting its attribution.
Architectural Framework
The Regin C2 framework is built upon three core pillars: a multi-stage loading process, an encrypted virtual file system, and advanced persistence techniques that leverage obscure corners of the Windows operating system.
The Staged Loading Process
Regin’s execution process is a carefully orchestrated sequence involving up to six distinct stages, a design that is fundamental to its stealth strategy. Each stage is responsible for decrypting and loading only the next one in the chain, meaning that the discovery of any single component in isolation reveals very little about the platform’s full capabilities. This “domino chain” of decryption effectively compartmentalizes the malware, impeding forensic analysis.
Stage 1: The Initial Dropper
This is the only unencrypted component of the Regin platform and serves as the entry point. Its sole purpose is to execute and decrypt the Stage 2 loader. Multiple 32-bit and 64-bit samples of the Stage 1 dropper have been identified, with some 64-bit versions signed with fake digital certificates masquerading as legitimate software from Microsoft Corporation and Broadcom Corporation to evade initial security checks.
The initial infection vector remains largely unconfirmed, though analysis of log files on one victim machine suggested an exploit delivered via Yahoo! Instant Messenger. Given the platform’s sophistication, it is highly probable that multiple, complex, and potentially zero-day exploits were used for initial access depending on the target.
Intermediate Stages (2-4): Covert Loaders
Unlike conventional malware, the components for Stages 2, 3, and 4 are not stored as standalone files on the disk. Instead, they are hidden within other data structures, such as the Windows registry or the file system’s extended attributes, and are only present in memory during execution. These stages function as a series of loaders, each one decrypting and launching the next until the core of the platform is active.
Stage 4/5: The Dispatcher Module
This component, often identified as a DLL named disp.dll, represents the user-mode core of the Regin framework. It can be considered the “brain” of the operation, containing the main orchestration logic.
It provides a centralized API for other modules to interact with, managing communications, accessing the encrypted virtual file system, and loading the various operational plugins that carry out the mission-specific tasks.
Stage 6: The Payloads
The final stage is the execution of the actual espionage modules. These are loaded by the dispatcher from the Encrypted Virtual File System (EVFS) and contain the specific tools required for the targeted intelligence-gathering operation.
| Stage | Component Type | Storage Method | Encryption Status | Primary Function |
|---|---|---|---|---|
| 1 | Dropper/Installer | Executable File (EXE/DLL) | Unencrypted | Initiates the loading sequence; decrypts and launches Stage 2. |
| 2 | Kernel-mode Loader | Registry Key / NTFS Extended Attribute | Encrypted | Loads Stage 3 driver. |
| 3 | Kernel-mode Driver | Registry Key / NTFS Extended Attribute | Encrypted | Establishes kernel-level persistence; loads Stage 4 dispatcher. |
| 4/5 | User-mode Dispatcher | Encrypted Virtual File System (EVFS) | Encrypted | The “brain” of Regin; manages C2 communications and loads payloads. |
| 6 | Modular Payloads | Encrypted Virtual File System (EVFS) | Encrypted | Carries out specific espionage tasks (e.g., keylogging, network sniffing). |
The Encrypted Virtual File System (EVFS)
A key feature that sets Regin apart from other malware is its use of a custom Encrypted Virtual File System (EVFS). This technique allows the malware to store its numerous modules, configuration files, and stolen data without creating a large number of suspicious files on the host’s disk, which would be easily flagged by antivirus software or forensic investigators.
The EVFS is stored as a single, large block of data on the disk, often masquerading as a legitimate system file. For instance, some variants have been observed using a fake Windows Event Log file (.evt) in the %System%\config directory to house the EVFS. Within this container, individual files are not identified by human-readable names but by numeric codes, making it impossible to understand the contents of the file system without first reverse-engineering the dispatcher module that accesses it.
The encryption employed for the EVFS is a customized variant of the RC5 cipher, a block cipher notable for its simplicity but not widely used, making its presence a potential indicator. In addition to encryption, some data within the VFS is compressed using the nrv2e algorithm from the open-source UCL library, likely to reduce its on-disk footprint.
Security firm G DATA developed a detection script that identifies the presence of a Regin VFS by searching for a specific custom CRC32 checksum value located in the file system’s header.
Advanced Persistence and Obfuscation Techniques
NTFS Extended Attributes
One of the most novel techniques used by Regin is the storage of its payload within the Extended Attributes of an existing NTFS file.
Extended Attributes are a little-used feature of the NTFS file system that allows for arbitrary metadata to be attached to a file, separate from its main data stream. Because very few forensic tools routinely inspect these attributes, it serves as an excellent hiding place.
Regin specifically retrieves its payload from attributes named with a single underscore (_).
Registry Storage
The encrypted executables for the intermediate stages of the malware (Stages 2 and 3) are not written to disk as files. Instead, they are stored directly within the Windows Registry.7 Specific registry keys have been identified as storage locations, including \REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList and several custom keys under CurrentControlSet\Control\Class.
Kernel-Mode Operations
The Regin platform includes kernel-mode drivers and a rootkit, allowing it to operate with the highest level of privilege on a system and hide its processes and files from the operating system itself.
Network Operations: Covert Command, Control, and Peer-to-Peer Communication
The network communication architecture of Regin is designed to operate covertly within target networks, minimize detectable outbound traffic, and maintain resilient command and control (C2) channels. This is achieved through an innovative peer-to-peer model and a flexible, multi-protocol transport layer, enabling the operators to adapt to diverse network environments and evade detection for extended periods.
The “Communication Drone” Model: A Peer-to-Peer C2 Architecture
Unlike typical botnets where each infected host communicates directly with an external C2 server, Regin employs a far more subtle peer-to-peer (P2P) architecture. Within a compromised organization, infected machines, referred to as “communication drones,” form an internal network. Most of these drones only communicate with each other, relaying commands and data across the victim’s LAN or WAN.
This P2P communication uses a variety of protocols, including standard HTTP and internal Windows protocols like SMB over named pipes. The primary advantage of this model is the reduction of the malware’s external footprint. Instead of multiple nodes beaconing out to the internet, only a few select drones, designated as gateways or “translation drones,” are responsible for communicating with the external C2 infrastructure.
Kaspersky’s analysis of an intrusion in the Middle East provided an example of this architecture in action. A P2P network was established connecting the president’s office, a research center, and a bank. All C2 traffic was routed internally between these high-value targets, with only one node acting as a gateway to exfiltrate data to a C2 server in India.
Multi-Protocol C2 Channels and Transport Plugins
Regin’s modularity extends to its C2 communications. The core dispatcher module (disp.dll) can load different “transport plugins,” each designed to use a specific network protocol. This gives operators the flexibility to choose the most effective and least conspicuous C2 channel for a given target’s network environment.
Analysis of decoded configuration files has revealed a range of transport plugins, identified by unique numeric IDs.
| Plugin ID | Protocol | Typical Use Case | Stealth Characteristics |
|---|---|---|---|
| 27 | ICMP | External C2 / Internal P2P | Uses raw sockets; traffic blends with legitimate network diagnostic pings and is often not inspected by firewalls. |
| 50037 | HTTP | External C2 / Internal P2P | Commands and data are embedded in standard HTTP traffic, likely within custom headers or cookies to evade detection. |
| 50051 | HTTPS | External C2 | Encrypts C2 traffic with SSL/TLS, making it indistinguishable from legitimate secure web traffic. |
| 50271 | SMB (Named Pipes) | Internal P2P / Lateral Movement | Leverages a native Windows protocol for inter-process communication, blending in with normal administrative and file-sharing activity. |
| 50035 | Custom TCP/UDP | External C2 / Internal P2P | Uses Winsock-based transport for flexible communication over custom TCP or UDP ports, avoiding signatures for standard protocols. |
The use of ICMP for C2 is particularly noteworthy. As a network-layer protocol not associated with data transfer, its packets are often allowed to pass through firewalls with minimal inspection. Regin can embed its C2 communications within ICMP echo request/reply packets, creating a highly resilient and covert channel.
Other malware, like Pingback, has demonstrated how specific ICMP sequence numbers can be used to signal different commands, a technique possibly employed by Regin as well.
External C2 Infrastructure and Data Exfiltration
The external C2 infrastructure is kept intentionally small and geographically dispersed. The few identified C2 IP addresses were located in countries such as India, Taiwan, and Belgium, likely hosted on compromised servers to further obfuscate the operator’s true location.
Data exfiltration follows the same tiered communication path. Stolen data is not sent directly from the source machine to the external C2. Instead, it is passed through the internal P2P network to a gateway drone, which is then responsible for the final exfiltration. In some cases, to further evade detection, valuable data is not even written to the local disk before being exfiltrated, making post-mortem forensic analysis incredibly difficult.
The Payload Arsenal
Standard Intelligence-Gathering Modules
At its core, Regin is equipped with a suite of payloads that provide comprehensive remote access and surveillance capabilities, typical of any remote access trojan (RAT).
Keystroke Logging
A keylogger module, identified as plugin 50251, records all keystrokes on an infected machine. Technical analysis by Kaspersky revealed that this module is functionally identical to a keylogger codenamed “QWERTY,” a known component of the WARRIORPRIDE malware platform used by the Five Eyes intelligence alliance.
Credential Theft
Regin includes modules designed to steal a wide range of credentials, including Windows logon passwords and credentials stored by web browsers.
Screen and Input Capture
The platform can capture screenshots of the victim’s desktop and record mouse clicks, providing a direct view of the user’s activity.
Network Traffic Monitoring
Payloads can be deployed to sniff network traffic passing through the infected device. This includes the capability to intercept and view data from SSL-protected sessions, suggesting the use of man-in-the-middle techniques.
System Reconnaissance
Standard modules gather detailed information about the compromised system, including running processes, memory utilization, and hardware configuration.
Specialized and High-Value Payloads
GSM Network Exploitation
Regin’s most sophisticated capability is its module for targeting GSM (Global System for Mobile Communications) network infrastructure.
Researchers discovered an activity log from a compromised GSM Base Station Controller (BSC) - a critical component that manages cellular base stations. This log revealed that the attackers were executing commands using Ericsson’s proprietary Man-Machine Language (MML), a command-line interface for managing telecommunications equipment.
The logged commands included rxmop (check software version), rlstc (activate cell), rlstp (deactivate cell), and rlnri (add a neighboring cell), demonstrating a deep level of control over the cellular network. Such access would enable the operators to intercept calls and SMS messages, track the location of specific mobile users, and potentially disrupt cellular service.
The log file also contained plaintext usernames and passwords for engineering accounts on the BSC, confirming a full compromise of the device.
Microsoft IIS Monitoring
A custom payload was developed to specifically monitor traffic on Microsoft Internet Information Services (IIS) web servers. This was likely used to intercept web application data or steal administrative credentials from web portals.
Lateral Movement and Replication Modules
To propagate within a target network, Regin uses dedicated replication modules. These are typically copied to remote computers via standard Windows administrative shares (ADMIN$), a technique that requires the attackers to have already obtained administrative credentials through other means.
Kaspersky identified two such tools with the codenames “Legspin” and “Hopscotch,” which function as interactive command-line utilities for lateral movement, allowing operators to authenticate to other machines and deploy the Regin payload.
Conclusion
Regin represents an operational philosophy where long-term, persistent access is valued far more than short-term intelligence gains. Its architecture is not built for speed or disruption but for stealth and longevity.
The investment in a complex P2P C2 network and unconventional data storage methods demonstrates a clear priority: to establish a permanent, undetectable presence inside an adversary’s most critical infrastructure.
The targeting of a telecommunications provider’s core network components is the epitome of this strategy. Gaining control over a BSC is not about stealing a single document, it’s about acquiring the capability to monitor an entire stream of national and international communications, a foundational goal of signals intelligence.