Security researchers have discovered a new and unusually complex piece of malware likely to have been designed by a nation state for use in advanced, mass surveillance campaigns.
Regin is a ‘back door-type’ Trojan which is customizable depending on the target and is encrypted at each stage to avoid detection, according to Symantec.
The firm’s Security Response team explained:
“Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”
Regin’s multi-stage architecture is reminiscent of the Duqu/Stuxnet family, while its modular approach has previously been seen in Flamer and Weevil, the vendor added.
There are apparently dozens of payloads, with RAT-type features like screenshot capture most common. More specialized modules include a Microsoft IIS web server traffic monitor and a traffic sniffer designed to work on mobile telephone base station controllers.
As well as encryption, Regin stays hidden thanks to anti-forensics capabilities and embedding commands in HTTP cookies, amongst other traits.
There is no one infection vector either, with some users possibly being tricked into visiting a malicious version of a well-known site and the threat installed via a web browser or an app exploit, Symantec said.
Around half of all infections spotted targeted private firms and small businesses, with the public sector and research bodies also affected. Activity occurred between 2008 and 2011; then Regin was “abruptly withdrawn” before a new version surfaced last year, Symantec said.
The vendor wouldn’t speculate on which nation state may have been behind it but most victims were in the Russian Federation (28%) and Saudi Arabia (24%), followed by a long tail including Mexico (9%) and Ireland (9%).
Symantec concluded:
“Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.”
A more detailed white paper is available here.