New malware dubbed “Regin”, which has been likened to Stuxnet, has been uncovered in Russia and Saudi Arabia, according to Symantec.
The security software maker believes that the malware was developed and run by a Western intelligence agency, and that it might have taken years to develop. The malware has been used in spying campaigns since at least 2008.
According to Symantec, Regin is a customisable back-door Trojan that “provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals”.
The malware provides a multi-stage attack, which is encrypted at each stage. “Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat,” claims Symantec.
The malware had been “observed” at a number of different organisations between 2008 and 2011, when it was abruptly withdrawn. A new version appeared from 2013, claimed Symantec.
About half the targeted organisations were private individuals and small businesses, but more than one-quarter were telecoms companies running internet backbone networks, five per cent in energy and five per cent in the airline industry.
Both Russia and Saudi Arabia were by the far the most targeted geographies with around one-quarter of the infections, followed by Mexico and Ireland with 10 per cent each, and India, Iran, Belgium, Austria, Pakistan and Afghanistan with five per cent each.
“The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo Instant Messenger through an unconfirmed exploit,” claimed Symantec.
It continued: “There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
“More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.”
The company suggested that the level of resources that have gone into Regin over an extended period of time, how it has targeted specific people and organisations, and the way in which it has been developed and used – for intelligence gathering – indicates that a spy agency is probably behind the malware.
It warned that many components of Regin probably “remain undiscovered” and that “additional functionality and versions may exist”.
The company has produced a 22-page analysis of Regin giving a detailed breakdown of how it works.