First uncovered and named by Symantec, the malware, dubbed a “top-tier espionage tool”, doesn’t seem to have infected any of the so-called ‘Five Eyes’ nations.Since, Kaspersky Lab has revealed that 14 nations have so far been identified as being infected by Regin, including Russia, Iran and Germany, but not the UK, the US, Australia, New Zealand or Canada, as the map below shows.
Kaspersky also noted that it is odd that Fiji and Kiribati are victims of Regin.
“Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual,” it said. “To put this into context, Kiribati is a small island in the Pacific with a population of around 100,000.”
The report by Kaspersky also reveals that the Regin tool has been used to access mobile networks, undoubtedly to siphon off data, which again suggests the work of US and UK spy agencies in light of other operations revealed by Edward Snowden.When it announced its discovery, Symantec said Regin had been used in spying campaigns against a range of international targets since at least 2008.
“A backdoor-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen,” said Symantec.
“Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers and private individuals.”
is a multi-staged threat, and each stage is hidden and encrypted with the exception of the first stage. The first stage starts a domino chain of decryption and loading of each subsequent stage to a total of five. Each stage provides little information on the complete package, and only by acquiring all five stages is it possible to analyse and understand the threat.
Symantec said that the development of Regin could have taken years, and the malware’s authors have gone to great lengths to cover its tracks.
“Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state,” the security firm added.
Regin infections have been observed in a variety of organisations between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced in 2013. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites, and that the threat may be installed through a web browser or by compromising an application. Log files on one computer showed that Regin originated from Yahoo Instant Messenger through an unconfirmed exploit.
“Regin’s developers put considerable effort into making it highly inconspicuous. Its low-key nature means it can potentially be used in espionage campaigns lasting several years,” the firm added.
Symantec said that it is very difficult to ascertain what the malware is doing, even when its presence is detected, and that analysis of the payloads was possible only after decrypting sample files.
Pedro Bustamante, director of special projects at Malwarebytes, told The INQUIRER that Regin is the cyber equivalent of a specialist covert reconnaissance team.
“The analysis shows it to be highly adaptable, changing its method of attack depending on the target,” he said.
“It also has some very advanced evasion techniques that make it suitable for spending long periods carrying out undercover surveillance.”