Symantec uncovers Regin, a highly advanced stealth spying tool developed by a nation state
Security firm Symantec has released details of an advanced cyberespionage it has discovered. Called Regin, the backdoor Trojan is described as having a structure that "displays a degree of technical competence rarely seen". Symantec goes as far as saying that the levels of resources required to create such a highly advanced tool indicate that it was created by a nation state -- although there is no suggestion about who it might be.
The report says that Regin has already been used in mass surveillance programs not by but against government organizations. Symantec estimates that the tool may have been years in development, as it delivers multi-stage attacks, and great lengths are taken to hide each stage. The framework was designed to facilitate long-term surveillance, and the concealment techniques used make Regin difficult to fully understand.
Symantec has published a full white paper about Regin, but gives an overview of the capabilities and threats posed by the malware in a blog post. It seems that the malware has been active since 2008, and a new version was developed in 2013 and a modular approach -- similar to that used by the Flamer and Weevil malware -- makes it easy to tailor attacks to individual targets. Roughly half of infections have been private individuals, but a large proportion are more worrying targets such as telecoms and government agencies.
Strong language is used in Symantec's white paper to refer to Regin:
In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware. Regin is an extremely complex piece of software that can be customized with a wide range of different capabilities which can be deployed depending on the target. It is built on a framework that is designed to sustain long-term intelligence-gathering operations by remaining under the radar. It goes to extraordinary lengths to conceal itself and its activities on compromised computers. Its stealth combines many of the most advanced techniques that we have ever seen in use.
The capabilities of Regin are concerning to say the least. Password monitoring, remote access, recording of calls (more than a quarter of infections affected telecom backbones), and intercepting email are enough to break any sys admin out in a sweat, but it is the difficulty in detecting the malware that is perhaps the greatest cause for alarm. Once a system is infected with Regin, there is a six stage process that takes place. Every stage is carefully encrypted to hide traces of activity:
The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk.
Full details of each of the stages is provided in the white paper in which Symantec draws comparison with the Stuxnet/Duqu family of malware. The impact that Regin has had, and will continue to have, is difficult to determine but the report points out that the discovery serves as an important reminder that investments are still being made in global surveillance software:
The discovery of Regin serves to highlight how significant investments continue to be made into the development of tools for use in intelligence gathering. Many components of Regin have still gone undiscovered and additional functionality and versions may exist.
You can read the full report on the Symantec blog.