Threat Intelligence, Malware

Firm finds link between Regin spy tool and QWERTY keylogger


Researchers have found that a surveillance tool detailed in recent Snowden leaks is “identical in functionality” to a plugin for malware, called “Regin.”

Earlier this month, the publication Der Spiegel published the source code for QWERTY keylogger malware, revealing that it was used by NSA and other intelligence agencies around the globe that are part of the Five Eyes Alliance. After comparing the released code with its own findings on Regin, analysts at Kaspersky concluded that the malware developers of QWERTY and Regin are one and the same, or at least working together, a Tuesday blog post revealed.

Kaspersky noted that the Regin module, which QWERTY is identical to in functionality, is the Regin 50251 plugin.

The findings comes soon after Kasperksy analyzed two separate modules of Regin last week, called "Legspin" and "Hopscotch," which carried stand-alone functionalities.

In its Tuesday blog post, Kasperksy noted that the QWERTY keylogger “doesn't function as a stand-alone module,” like Hopscotch and Legspin, and that it “relies on kernel hooking functions which are provided by the Regin module 50225.”

In follow up email correspondence with, Igor Soumenkov, principal security researcher at Kaspersky who co-authored the blog post, said that most of the known Regin modules are “rather outdated” and that the firm hadn't observed any new infections of Regin since it disclosed the threat.

Back in November, analysts identified that Regin was likely used for intelligence gathering by a nation-state, and that attackers' exploits with the tool dated back to 2008. Regin infections were said to span 27 organizations in 14 countries.

Soumenkov also provided advice to organizations aiming to defend themselves against the threat, particularly in light of new evidence linking Regin and QWERTY developers.

“We've published several indicators of compromise [PDF] related to Regin. System administrators could download it and check if their organization is compromised or not,” he wrote.

“In general we advise to install a modern security suite on all endpoints and servers. It's beneficial to log events and setup a centralized logging system. It's also important to install updates when available and use whitelisting and default deny policies as much as possible,” Soumenkov said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.