Symantec has found an advanced malicious software application that appears to have been used for spying and collecting data across the globe. Named Backdoor.Regin, or simply Regin, the software is essentially a very powerful Trojan Horse that appears to have been circulating since 2008. It has been hitting government agencies, internet providers, telecom companies, airlines, industrial entities, research institutes, energy companies, and individual systems with impunity, using sophisticated encryption and targeting systems to spy on targets. It is speculated that most infections came from computers visiting "spoofed versions of well-known websites," says Symantec, though one case confirms Yahoo! Messenger was also involved.
In addition, according to Symantec, Regin’s has also been able to target mobile telephony base station controllers, allowing its creators to access calls being routed through their infrastructure.
The anti-virus company has released a white paper about the new threat, and it highlighted its similarity to the specially targeted Subnet virus that attacked Iranian nuclear reactors. The Mountain View, California-based maker of Norton anti-virus products said its research showed that a "nation state" was likely the developer of Regin, but Symantec did not identify any countries or victims. Regin was not created by cyber criminals. It is clever, and its modular approach suggests that it came from a wealthy country. Among its strongest features, there is the ability for its creators to drop in custom payloads that work off specialist knowledge on sectors like telecommunication infrastructures.
Regin is not just another entry into the continually growing list of viruses, since this malware "displays a degree of technical competence rarely seen." Regin affects Windows-based computers, and it operates in five stages, providing a powerful framework for mass surveillance and offering flexibility so that attackers can customize their attacks depending on whether they need to remote control a system, get screenshots, or watch network traffic.
More importantly, Regin is extremely good at covering its tracks. Regin is encrypted in five stages, which makes it hard to know that it is happening. Only by acquiring all five stages is it possible to analyze and understand the threat. Also, it has tools to fight forensics, and it can use alternative encryption in a pinch. Regin's design makes it highly suited for persistent, long-term surveillance operations against targets. According to Symantec, "many components of Regin remain undiscovered and additional functionality and versions may exist."
Symantec says Regin’s biggest targets were in Russia and Saudi Arabia, which accounted for about half of the confirmed infections of the Regin malware. Other countries were Mexico, Ireland, India, Iran, Afghanistan, Belgium, Austria, Pakistan, Syria, Malaysia, Indonesia, Kiribati, and Fiji Islands, as well as European countries like Belgium and Ireland.
I could not have written this article without the help of the following sources:
- http://techcrunch.com/2014/11/24/regin-spying/
- http://www.reuters.com/article/2014/11/23/us-symantec-malware-regin-idUSKCN0J70SH20141123
- http://thenextweb.com/insider/2014/11/24/symantec-found-spying-tool-active-computers-around-world/
- http://gizmodo.com/meet-regin-super-spyware-thats-been-attacking-computer-1662399325?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
- http://www.zdnet.com/now-we-know-who-developed-state-sponsored-regin-malware-7000036111/
- http://www.forbes.com/sites/parmyolson/2014/11/24/regin-malware-spying-toolkit/
- https://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/
- http://www.engadget.com/2014/11/23/regin-malware/?ncid=rss_truncated