Kaspersky Says QWERTY Spy Tool Tied to Regin Malware

Researchers with Kaspersky Labs say all signs point to a malicious key logger called "QWERTY," reportedly leaked from the NSA (National Security Agency), coming from the same source as the Regin malware platform, likely developed with the support of a nation-state. They made the connection after examining files about QWERTY that were among the documents provided by former NSA contractor and whistleblower Edward Snowden.

"We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin," Kaspersky researchers, Costin Raiu and Igor Soumenkov, wrote on the cybersecurity firm's SecureList Web site. "Looking at the code closely, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin."

Their analysis leads them to conclude that QWERTY is a plugin designed to work as part of the Regin platform. "Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," the researchers said.

Regin a 'Sophisticated Attack Platform'

In a detailed lab report about the Regin platform published in November, Kaspersky researchers compared Regin to another malware called Turla and concluded, "Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analyzed." The Regin toolkit enables the actors deploying it to penetrate and monitor global system for mobile communications (GSM) networks.

While Kaspersky hasn't been able to pinpoint when Regin first appeared in the wild, it has found some instances with timestamps dating back to 2003.

"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," according to the Kaspersky report. "In today's world, we...

Comments are closed.

Kaspersky Says QWERTY Spy Tool Tied to Regin Malware

Researchers with Kaspersky Labs say all signs point to a malicious key logger called "QWERTY," reportedly leaked from the NSA (National Security Agency), coming from the same source as the Regin malware platform, likely developed with the support of a nation-state. They made the connection after examining files about QWERTY that were among the documents provided by former NSA contractor and whistleblower Edward Snowden.

"We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin," Kaspersky researchers, Costin Raiu and Igor Soumenkov, wrote on the cybersecurity firm's SecureList Web site. "Looking at the code closely, we conclude that the 'QWERTY' malware is identical in functionality to the Regin 50251 plugin."

Their analysis leads them to conclude that QWERTY is a plugin designed to work as part of the Regin platform. "Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together," the researchers said.

Regin a 'Sophisticated Attack Platform'

In a detailed lab report about the Regin platform published in November, Kaspersky researchers compared Regin to another malware called Turla and concluded, "Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analyzed." The Regin toolkit enables the actors deploying it to penetrate and monitor global system for mobile communications (GSM) networks.

While Kaspersky hasn't been able to pinpoint when Regin first appeared in the wild, it has found some instances with timestamps dating back to 2003.

"The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations," according to the Kaspersky report. "In today's world, we...

Comments are closed.