Applying Vectra to the Regin Malware

Applying Vectra to the Regin Malware

Wade Williamson
December 3, 2014

Researchers at Symantec have recently disclosed the presence of a highly sophisticatedmalware platform known as ‘Regin’. This new strain of malware instantly joins Stuxnet, Flame, and Duqu on the list of some of the most advanced malware ever seen. And like the other members of this elite state-sponsored fraternity, Regin malware appears to be purpose-built for espionage with the ability to quietly infect, spread, and persist within a targetnetwork for long periods of time.

As you might expect, the malware developers went to great lengths to keep the malicious payload and its actions well hidden from security solutions. The sample itself was somewhat of a matryoshka doll in which the actual malware functionality was nested within multiple layers with each requiring successive decryption before the true functionality was revealed. Likewise, the malware employed a variety of tricks to keep its communications hidden such as hiding commands within HTTP cookies and proxying traffic through multiple infected hosts to exfiltrate data.

The malware spread through the network by compromising system administrators, and using their credentials to spread laterally across Windows administrative shares. In fact, additional research from Kaspersky found the malware was able to compromise a telco provider and spread through the network all the way to GSM base-stations where the malware could monitor calls.

This sort of stealthy, multi-stage attack is precisely the type of threat that Vectra is uniquely able to detect so it can be stopped. In fact, many of the same traits that allow Regin to evade traditional security are some of the keys that Vectra uses to pinpoint the attack. Here are three examples:

Focusing on the Inside of the NetworkRegin and those who used it were so masterful in bypassing traditional perimeter controls that even after considerable analysis, a specific infection vector has yet to be confirmed. Furthermore, Regin specifically targeted sys-admins who are typically the most security conscious individuals in a network. This is a clear sign that those behind Regin were supremely confident in their ability to breach the perimeter without detection.

However, once it evaded the perimeter, Regin needed to spread to other strategic points in the network, collect information and ultimately exfiltrate data. Vectra Networks focuses on this long, ongoing portion of the attack by applying data science to all internal network traffic to reveal lateral spread, data acquisition and exfiltration of an ongoing attack. Specifically, when malware such as Regin uses administrative shares to spread malware internally, Vectra’s continuous monitoring of the internal network and machine learning is able to automatically identify this lateral movement.

Later on, when it came time to exfiltrate data, Regin would proxy the data through multiple compromised hosts before uploading the data to a waypoint on the Internet. While such internal behavior is typically invisible to traditional security, Vectra’s intelligence tracks this staged data transfer across multiple hosts and clearly reveals a very serious attack.

Data Science Over SignaturesLike most advanced attacks, Regin communications were highly customized in order to avoid triggering traditional security signatures. Regin used Remote Access Tunnel (RAT) tools for ongoing administration of the attack and was able to download a variety of additional payloads to extend the functionality of the malware. While traditional security solutions can build sophisticated signatures to identify specific RATs and downloaders, new and customized tools can easily bypass these signatures. Vectra uses data science and machine learning to identify the telltale patterns and behavior of RAT tools so that they can be identified regardless of the specific RAT tool that was employed. This enables security teams to identify the presence of a RAT in their network even when the specific tool hasn’t been seen before.

In addition, Regin was able to hide commands in seemingly benign communications. In particular, the malware and its remote attackers were able to communicate through commands hidden in HTTP cookies. Vectra identifies this and many other hidden tunnels within HTTP as well as other protocols, again finding a smoking gun of an advanced attack. Needless to say, the ability to manage the attack and update the malware is the lifeblood of a sophisticated attack, and Vectra uniquely empowers security teams to detect and disrupt this critical stage of an attack.

The Sum is Greater Than the PartsThe examples covered above are just a few of the indicators of compromise (IOCs) that are possible with the Vectra X-series platform. However, the point of Vectra is to take the myriad IOCs, correlate them to the host under attack and tell a story about what the attacker is doing as well as the current phase of the attack so that security teams can take action confidently. This is where Vectra most significantly turns the tables on sophisticated attackers. While an advanced attack may leave behind a variety of anomalies or clues, they are often inconclusive when viewed individually. Too often, the relevance of those uncorrelated clues is only obvious in hindsight.

Vectra addresses this problem by connecting the entire lifecycle of the attack into a single integrated view. Quite literally, Vectra gets stronger as the attack becomes more complex. From a single view, security teams can see the command and control, internal reconnaissance, lateral spread, and exfiltration phases of an attack as an integrated whole. The more dangerous the attack, the more it stands out in the Vectra user interface. Instead of hiding in the noise of a busy enterprise network, Vectra is able to coalesce vast amounts of data to reveal the threat detections that truly matter.

Click here to learn more about how Vectra can expose advanced threats in your network