Traces of Regin malware may date back to 2006

Regin was known about for some time by the security industry, according to Symantec

Malware that Symantec says was probably developed by a nation state may have been used for as long as eight years, a length of time that underscores the challenges the security industry faces in detecting advanced spying tools.

On Sunday, the computer security company published a 22-page report and blog post on the Regin malware, which it described as a powerful cyberespionage platform that can be customized depending on what type of data is sought.

It was predominantly targeted at telecoms companies, small businesses and private individuals, with different modules customized for stealing particular kinds of information. Symantec found about 100 entities infected with Regin in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan

A first version of Regin was active between 2008 and 2011. Symantec began analyzing a second version of Regin about a year ago that had been forwarded by one of its customers, said Liam O'Murchu, a Symantec researcher, in a phone interview Sunday.

But there are forensic clues that Regin may have been active as far back as 2006. In fact, Symantec didn't actually give Regin its name. O'Murchu said Symantec opted to use that name since it had been dubbed that by others in the security field who have known about it for some time.

If Regin does turn out to be 8 years old, the finding would mean that nation states are having tremendous success in avoiding the latest security products, which doesn't bode well for companies trying to protect their data. Symantec didn't identify who it thinks may have developed Regin.

Symantec waited almost a year before publicly discussing Regin because it was so difficult to analyze. The malware has five separate stages, each of which is dependent on the previous stage to be decrypted, O'Murchu said. It also uses peer-to-peer communication, which avoids using a centralized command-and-control system to dump stolen data, he said.

It's also unclear exactly how users become infected with Regin. Symantec figured out how just one computer became infected so far, which was via Yahoo's Messenger program, O'Murchu said.

It is possible the user fell victim to social engineering, where a person is tricked into clicking on a link sent through Messenger. But O'Murchu said it is more likely that Regin's controllers knew of a software vulnerability in Messenger itself and could infect the person's computer without any interaction from the victim.

"The threat is very advanced in everything it does on the computer," O'Murchu said. "We imagine these attacks have quite advanced methods for getting it installed."

Telecom companies have been particularly hard hit by Regin. Some of the companies have been infected by Regin in multiple locations in multiple countries, Symantec found.

The attackers appear to have sought login credentials for GSM base stations, which are the first point of contact for a mobile device to route a call or request data. Stealing administrator credentials could have allowed Regin's masters to change settings on the base station or access certain call data.

Regin's other targets included the hospitality, airline and ISP industries, as well as government.

"We do not think [Regin] is a criminal type of enterprise," O'Murchu said. "It's more along the lines of espionage."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecsecuritymalware

More about MessengerSymantecYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place