Regin backdoor: Sophisticated, stealthy, state-sponsored?

Symantec researchers are warning about a new, complex cyber espionage tool that has been around for years and that has likely been created and is wielded by a nation state.

Dubbed Regin, the malware has been used since at least 2008 to mount spying operations against government organizations, infrastructure operators, private sector businesses, but also researchers and private individuals.

In fact, almost 50 percent of all the identified targets are either private individuals and small businesses, followed by telecoms (28 percent), companies in the hospitality and energy business, airlines, and research organizations. Another thing that comes a bit of a surprise is the fact that the malware was aimed mainly at individuals and organizations in the Russian Federation, Saudi Arabia, Ireland, and Mexico:

As F-Secure researchers noted, “this malware, for a change, isn’t coming from Russia or China.”

Regin has been compared to Stuxnet, Flame, Duqu and Turla (Snake) – all highly complex malware used in sophisticated attacks that are believed to be state-sponsored.

“Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages,” Symantec researchers explained. “Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”

The malware is modular, therefore customizable.

“There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files,” they discovered. “More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.”

Even though the researchers got their hands on two different variants of the backdoor – one that was used between 2008 and 2011, and another from 2013 onwards – they still don’t know what infection vectors have been used. It’s likely that the malware was delivered via spoofed versions of well-known websites or exploitation of app vulnerabilities. “On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit,” they pointed out.

All in all, the researchers believe that the malware’s development took months, and that its complexity, efficacy and great stealth features are a proof of its nature as a state-backed-and-developed spying tool.

Symantec has dedicated a paper to the threat that, among other things, also includes indicators of compromise that will come in handy to security administrators looking to see if their systems and networks have been targeted and compromised. You can pick it up here.

Kaspersky Lab researchers have also shared their findings related to the malware.

“Regin almost certainly has been used for very large scale data gathering. It’s taken a lot of resources to create and most probably will have many variants both waiting to be released and in the wild already,” Mark James, security specialist at ESET, commented. “We would be naive to think that there aren’t other very similar complex pieces of malware out there undetected, quietly sitting on hardware gathering data and sending it back for intelligence and malicious means.”


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss