Symantec outs Regin, a stealthy and modular spy tool

Symantec has revealed details about a family of malware it says is a “top tier” espionage tool with sophisticated features on a level comparable with Flame and Stuxnet.

According to Symantec, the feature-laden Regin malware that has remained below the radar until now has been used in spy campaigns targeting numerous industries since at least 2008.

While the security vendor says the Regin was likely used by a nation state, it does not point at a particular nation as the source of the malware.

The two biggest targets of the malware on a national basis were the Russian Federation, followed by Saudi Arabia, which together accounted for 52 percent of total infections. Neither China nor the United States were identified as significant targets.

The primary target by sector appears to be telecoms backbone providers, which accounted for 28 percent of the total, however the majority of targets were private individuals and small businesses. Other significant targets by sector included hospitality, energy, airline and research.

Regin activity was at its height between 2008 and 2011, later resurfacing in a new form in 2013, which remains in use today.

“Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure,” Symantec noted in a blog post.

In a technical whitepaper Symantec released on Sunday, the company described Regin as an “extremely complex piece of software that can be customized with a wide range of different capabilities which can be deployed depending on the target.”

The malware is notable for the lengths its makers went to ensure the malware and its activities remained inconspicuous.

Symantec said that Regin could have taken years to make, even with a well-resourced team of developers. The company infers this from the malware’s extensive range of modules, which allow its controllers to swap out payloads to suit individual targets. The other evidence of labour are the methods used to conceal the malware, which include a custom-built encrypted virtual file system and its use of a variant of the rarely used RC5, a cipher designed by RSA.

Regin has six key components that coordinate to deliver the main payloads, which varies by target but typically enable information gathering and can be customised to sniff network traffic, crawl the infected machine’s file system, retrieve deleted files, remotely control mouse and click activities, and take screen grabs among dozens of payload options.

One advanced payload was a tool that monitored Microsoft IIS web server traffic. Another was a tool that collected administration traffic for mobile network base station controllers — the layer in a mobile network that handles traffic between handsets and base stations as mobile users move between coverage areas.

While the company extensively details features of Regin, crucial elements that might allow it to attribute the malware campaign to a specific country are missing.

Read more: The week in security: Wearable tech shaking up security, privacy concerns

One mystery is the exact method used to compromise victims. So far, Symantec researchers have not identified a “reproducible infection vector”. However, log files on one infected computer showed that Regin originated from Yahoo IM through an unconfirmed exploit.

Also, Symantec’s technical paper highlights that the C&C used four transport protocols to communicate between infected computers and its command servers but not the IP addresses or web domains used by the attackers.

Symantec explained to CSO Australia in a statement that:

“The threat works not by making an outbound connection, but waiting for the attacker to connect to it via an inbound connection. It has the potential ability to make and initiate an outbound connection, but we have no such samples configured that way. All the samples we have are configured to rely on a peer-to-peer structure of communication and an infection at the border gateway of an organization that awaits contact by the attacker and further will proxy commands to internally compromised machines.”

Other nations that account for between nine to five percent of infections included Mexico, Ireland, India, Afghanastan, Iran, Belgium, Austria and Pakistan.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags RC5ReginFireEyesaudi arabiaspy toolmalwarenew releaseUnited StatesEnex TestLabsurveillancesymanteckasperskyChinaStuxnetCSO AustraliaRussian Federation

More about CSOEnex TestLabMicrosoftRSASymantecYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts