New Regin malware is an incredibly sophisticated spy tool possibly linked to western governments.

Published: Wed, 26 Nov 2014 by Rad

On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

The discovery of an advanced piece of malware that has been used to spy against organisations for at least six years underlines the need for skills and vigilance, say security experts.

Work of multiple teams

According to further work by Kaspersky and other securityresearchers, it appears that Regin might be the result of a combined effort from US and UK intelligence agencies. It also seems that Regin has infected numerous GSM base stations - the cell towers that provide 2G and 3G mobile coverage.

Kaspersky says it has identified “a country in the Middle East” where Regin has infected systems at the president’s office, a research center, and a bank — and all of these infected systems are communicating with each other.

In the last decade, cybersecurity warfare has moved from the pages of spy novels to real-world implementations. Worms like Stuxnet have been used to cause damage to Iran’s nuclear centrifuges and delay the country’s development of its own nuclear capacity. Now, Symanetec has released details on Regin — a new, incredibly sophisticated malware program that can deploy dozens or hundreds of separate payloads, allows for targeted, system-specific data gathering, and can be updated post-infection to introduce new payload capabilities.

"Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets."

Significant reach

Regin’s reach is significant; the code has primarily targeted small businesses and private individuals, but 28% of its infections are focused on telecommunication backbones as well. The list of infected countries is somewhat instructive:

Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.

The list of infected countries would seem to imply a particular interest and possibly global terrorism. Afghanistan, Iran, and Pakistan are all targets of particular US interest and the 9% share for Ireland is noteworthy given that many corporations have taken advantage of low corporate taxes there to shed global tax burdens and reduce exposure. Mexico’s drug gangs wield considerable financial power, while Saudi Arabia has an enormous concentration of oil wealth and a history of offering tacit support to Islamic extremists through its endorsement of Wahhabism.

Targeted and precise payload

One key feature of the malware is the degree to which various functions can be sandboxed. The Symantec team has discovered precise payload capabilities that allow the malware’s function to be fine-tuned for very specific information. While it can be deployed in a “Hoover everything” approach, it doesn’t have to be.

The Symantec team that discovered the Backdoor Regin malware said its structure displays a degree of technical competence rarely seen. Only the initial Stage 1 driver is visible as unencrypted code. Everything past that is encrypted, stored within the registry, or even written to the raw sectors at the end of the disc.

The researchers said even when its presence is detected, it is very difficult to ascertain what the malware is doing.

Researchers observed a wide variety of features, including

  • screenshot-capturing,
  • taking control of mouse functions,
  • stealing passwords,
  • monitoring network traffic and
  • recovering deleted files.

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.

The researchers believe many components of Regin remain undiscovered and additional functionality and versions may exist.

Symantec said the discovery of Regin showed that significant investments had been made in developing intelligence-gathering tools.

Our previous news stories