A sophisticated new spying tool has been identified by Symantec that displays “a degree of technical competence rarely seen,” said the company in a blog post.
The tool dubbed ‘Regin’ has been in use since 2008 and has been targeting governments, infrastructure operators, businesses, researchers, and private individuals. According to Symantec, Regin is highly customisable, with an extensive range of capabilities depending on the target. The malware provides controllers with a powerful framework for mass surveillance.
It is likely, said Symantec, that its development took months, if not years, to complete and that its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state, says Symantec in the blog.
Backdoor.Regin is a multi-staged threat, according to research, and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat.
Regin also uses a modular approach, warned Symantec, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats. Although in the wild since 2008, Symantec said that a new version was seen in 2013.
There are dozens of Regin payloads, but standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files. More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.
“Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns,” said Symantec. “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”
“The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist. Additional analysis continues and Symantec will post any updates on future discoveries.”
Symantec’s research has shown that of the countries affected, the Russian Federation was most targeted, seeing more than a quarter (28%) of all activity. Saudi Arabia, was second on nearly a quarter (24%). However, more worryingly, Ireland and Mexico were in joint third at 9% each.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers