DEVELOPED BY NATION STATE
The research showed that the Regin malware is believe to be developed by a wealthy “nation state” and is a primary cyber espionage
tool of a nation state because of the financial clout needed to produce code of this complexity with several stealth features to avoid detection. But, the antivirus software maker didn’t identify which country was behind it.
“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state,” said Symantec Security Response team.
“The security firm did not name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011 with a since decommissioned version of the malware that re-surfaced after 2013.”
Regin uses a modular approach allowing it to load features that exactly fit the target, enabling a customized spying. The malware’s design makes it highly suited for persistent, long-term mass surveillance operations against targets, the company said.
The nasty malware’s main targets include Internet service providers and telecommunications companies, where it appears the complex software is used to monitor calls and communications routed through the companies’ infrastructure. Other targets include organisations in hospitality, energy, airline, health sectors and research.
HIGHLY CUSTOMIZABLE FIVE STAGE STRUCTURE
Regin’s highly customizable nature allows large-scale remote access Trojan
capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases.
“Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals,”Symantec said.
In order to remain stealthy, Regin is organized into five layers, each “hidden and encrypted, with the exception of the first stage.” It’s a multi-stage attack and each stage reveals the overall attack. Executing the first stage starts a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on.
The whole picture of the malware only emerges when you have acquire all five stages because each individual stage provides little information on the complete package. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer’s mouse, stealing passwords, monitoring network traffic, and recovering deleted files.
Other modules appear to be tailored to specific targets. Specialist modules were found monitoring the traffic ofMicrosoft Internet Information Services (IIS) server, parsing mail from Exchange databases, and collectingadministration traffic for mobile base station controllers.