Security researchers have discovered a highly advanced malware program, called Regin, that have been used for spying purposes for at least six years. First discovered by Symantec and confirmed by Kaspersky, the security threat is believed to be the work of a government, considering the massive resources behind it and its sophisticated features, rather than a program devised by hacker groups interested in stealing data and/or money from regular Internet users.

FROM EARLIER: ‘Dirtbox’ planes masquerade as cell towers to collect smartphone data in sophisticated spying ops

“An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals,” Symantec writes.

“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state,” the company adds.

Additionally, Regin has also targeted other types of victims, at least according to Kaspersky, including government agencies, financial institutions and certain individuals researching mathematics and cryptology — one such spying example is detailed in the image above, as found in an unnamed Middle Eastern country.

First discovered in 2008, Regin disappeared in 2011 and then resurfaced in 2013 — it’s not clear whether it really disappeared during that time, or whether it was simply undetectable on affected systems — with 14 countries identified as the top victims.

It’s not known what government created Regin or for what purpose, but Re/code points out reports from The Intercept and Der Spiegel that suggest the NSA and the British GCHQ might be behind it.

Researchers have not been able to explain how Regin spreads, but once installed, the malware can carry advanced spying operations on the affected computers — the following image shows the kind of sectors Regin infected, and the top countries hit by it.

regin-malware-infected-sectors-and-countries-symantecImage Source: Symantec

Symantec noted the program used a flaw in Yahoo Instant Messenger to infect some computers. Re/code says “the working hypothesis is that a targeted person’s Web browser is hijacked and they are taken to a site that looks legit, but which serves up the first stage of the Regin malware, which in turn downloads and installs the additional four stages to follow.”

Once installed, Regin can perform a variety of tricks, and cover its tracks, showing “a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors,” as Symantec puts it.

“There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files,” Symantec explains.

“More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.”

As for its stealth features, research has revealed that Regin creators put a lot of effort into making it “highly inconspicuous,” in order for it to be used in spy campaigns lasting for several years.

Even when detected, it’s difficult to realize what the program is doing, as Regin has anti-forensic capabilities, “a custom-built encrypted virtual file system,” alternative encryption features and “multiple sophisticated means to covertly communicate with the attacker.”

More specific details about Regin are available at the source links below.

Comments