Anti-virus software company Kaspersky has claimed a link between the QWERTY keystroke logger and the Regin malware after a line by line analysis of the code.
Regin is a malware toolkit first discovered by Kaspersky, which was discovered on the network of Belgian telecoms company Belgacom, which the Edward Snowden leaks suggested that British spy agency GCHQ was behind. However, more than half of know Regin malware infections were discovered on computers in either Russia or Saudi Arabia. Kaspersky claims that Regin has been in circulation in various forms for ten years.
According to German newspaper Der Spiegel, which is still rummaging through some of the thousands of US National Security Agency (NSA) documents leaked by whistleblower Edward Snowden, Kaspersky conducted a line-by-line analysis of QWERTY against its database of alleged state malware in order to uncover the link.
“Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform. The QWERTY keylogger doesn’t function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225,” wrote Costin Raiu, head of research at Kaspersky, in a blog post on Securelist revealing the information.
“Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together,” he continued.
According to Der Spiegel, there are also references to cricket in the source code, which would narrow down the likely perpetrators significantly. It continued: “There are many similarities with the cyber-weapons system that the intelligence agencies call “Warriorpride” in the Snowden documents.”
Uncovering either Regin or QWERTY is no easy task, however: “Regin plugins are stored inside an encrypted and compressed VFS, meaning they don’t exist directly on the victim’s machine in “native” format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.”