Malware which has spied on international targets for more than six years has been detected.
According to research from Symantec, “Regin” is a back door-type Trojan with a high degree of technical competence, including a powerful framework for mass surveillance. Its capabilities include several Remote Access Trojan (RAT) features, including: capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks,” it said. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.”
It has several “stealth” features, including anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.
The Trojan has the ability to hide stages via strong encryption, and executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. However only by acquiring all five stages is it possible to analyze and understand the threat.
This modular approach has been seen in other sophisticated malware families such as Flame and The Mask, while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.
Targets include private companies, government entities and research institutes. Almost half of all infections targeted private individuals and small businesses.
Symantec was unable to determine a specific infection vector, as it varies among targets and no reproducible vector had been found at the time of writing, but it believed that some targets may be tricked into visiting spoofed versions of well-known websites, and it may be installed through a web browser or by exploiting an application.
On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Symantec said: “Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns.
“The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”
