The Regin malware, often described as the devil spawn of Stuxnet and Duqu, is the handiwork of the Five Eyes nation state spy apparatus, analysis reveals.
The malware was named in November by researchers impressed with the smarts that helped it hide in plain sight for up to six years.
Analysis overnight by Kaspersky malware reversers Costin Raiu and Igor Soumenkov found a Regin plugin - a keylogger called QWERTY - used source code known to be the product of a Five Eyes intelligence alliance member nation.
"We've obtained a copy of the malicious (QWERTY) files published by Der Spiegel and when we analysed them, they immediately reminded us of Regin," the duo said.
"Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.
"Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its source codes, we conclude the QWERTY malware developers and the Regin developers are the same or working together."
Malware QWERTY was a keylogger plugin built for the modular WARRIORPRIDE malware platform revealed under the Edward Snowden trove of NSA project documents.
The plugin and the platform were considered related due to multiple shared code references including WzowskiLib and CNELib.
Kaspersky's work opens the possibility that Regin and WARRIORPRIDE were the same malware.
The research duo said the plugins did not function as stand-alone malware and relied on kernel hooking functions. ®