Regin malware: We will never find all the victims or payloads

Posted on Posted in Hacker News
The advanced and evolving nature of Regin mean that the full extent of its damage will never be known, according to security firm Symantec, which revealed the threat to the world on Monday.
Regin malware is too complex to completely understand

The malware is believed to be state-sponsored, and recent estimates from Kaspersky Lab suggest that it has infected machines in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Indonesia, Kiribati, Malaysia, Pakistan, Russia and Syria.

Details of the malware remain unknown, including its infection method or true end purpose, but it is known to have strong espionage and data theft characteristics.

Orla Cox, security operations manager at Symantec, highlighted the firm’s experience in researching Regin as proof that current information on the threat is only the tip of the iceberg.

“[Regin’s authors] clean up pretty well after infections. They made it so they can carry out their operations and then erase any trace they’ve been there,” she told V3.

“We’ve seen some examples of infection where, by the time we get to the system concerned, it’s already been cleaned up.

“When we’ve actually managed to do investigations the only time we’ve found components on the machine is when it’s been a decommissioned server that’s been offline for quite a while.”

Cox added that the advanced nature of the malware makes compiling data on it a tricky process, even when aware of the threat.

“These are the types of threats that have masses of resources behind them, so they are designed in a way that makes it difficult for people like us to detect,” she said.

“They make it so that, even if we get a single component that works on its own, it’s innocuous and it’s only with the additional components that you can begin to see the bigger picture.

“With Regin we’re talking about something that has five separate stages, five separate layers only one of which is visible on disk. This means we’d see the visible element, a drive, but it wouldn’t give us any indication of what it does.”

Cox explained that, despite the difficulty in analysing threats like Regin, she expects further details about the malware to appear in the very near future.

“Now that the malware has been found, and we have more people in the research community looking for it, more information will come to light,” she said.

“I think we will also see more infections. The [Regin authors] are very good at cleaning up after themselves, so there are likely to be cases we’ll never know about, [but] other payloads will definitely come to light in the next few months.”

Cox downplayed speculation that cyber criminals may learn from and adapt the Regin malware.

“This is not a kit that can easily be refashioned. The techniques these people were using to leverage them, you’d require a high level of skill,” she said.

“For example we all remember when Stuxnet was released and there was a discussion that it could lead to further attacks where bad people used it, but that threat never materialised. I don’t think that will happen in this case either.”

Instead, Cox believes that the next big threat is likely to stem from a similar, highly resourced group like that behind Regin.

“Everytime we see one of these we think there’ll be nothing else like it, and then something else appears,” she said.

“I think it’s likely there are other threats out there that are equally as complex. When we saw Stuxnet, for example, we thought we’d never see anything else like it. Now we have.”

Regin is one of many critical threats uncovered over the past few years. The influx began in 2010 when researchers uncovered the Stuxnet malware targeting Iranian nuclear systems.

Two years on, researchers uncovered the Flame espionage malware, then Kaspersky Lab reported finding Red October in 2013.

Red October is an advanced cyber spying campaign known to have targeted governments, political groups, businesses and critical infrastructure installations.

Key details about all three threats remain unknown to this day.

Quelle: V3