A backdoor-type Trojan, called Regin has been targeting businesses and individuals around the world and has managed to elude malware researchers for at least the last eight years, according to security software vendor Symantec.
The company described Regin as a customizable piece of malware which provides its controllers with a robust framework for launching mass surveillance particularly for “spying operations against infrastructure operators, businesses, private individuals and government organizations.
A Symantec whitepaper described Regin as a five-staged threat with each stage “hidden and encrypted, with exception of the first stage. Multi-stage loading has been used in other malware such as the Duqu/Stuxnet family of threats.
When the first stage is executed it triggers the decryption and loading of each subsequent stage.
Very little information about the malware can be found in each individual stage. All five stages need to be acquired in order to analyze the malware.
“Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist,” the blog said.
The malware also uses a modular approach that allows it to load features specifically tailored for a certain target. This is a method seen in other malware families such as Flamer and Weevil.
Regin has several stealth features including an encrypted virtual files system (EVFS) and alternative encryption in the form of a variant of RC5. The malware also covertly communicates with the attacker via Internet Control Message Protocol (ICMP/ping), embedding commands in hypertext transfer protocol (HTTP) cookies as well as custom transfer control protocol (TCP) and user datagram protocol (UDP).
The top targets of Regin have been:
- Private individuals and small businesses – 48 per cent
- Telecom backbones – 28 per cent
- Hospitality businesses – 9 per cent
- Research organizations – 5 per cent
- Airlines – 5 per cent and
- Energy companies – 5 per cent
Most infections were seen in:
- The Russian Federation – 28 per cent
- Saudi Arabia – 24 per cent
- Mexico and Ireland – 9 per cent
“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks,” according to Symantec. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.”