Incident Response, Malware, TDR

Regin: nation-state possibly behind the stealthy modular spying malware


A nearly peerless, multi-staged and modular spying tool known as Regin is being referred to by Symantec, the security company that initially released information on the malware, as ‘groundbreaking' – particularly because of the advanced techniques it uses to conceal itself.

The sophistication of the threat and the skill sets being used in operations possibly dating back to 2008 have led Symantec to believe that Regin is being used by a nation-state, Orla Cox, senior operations manager with Symantec Security Response, told on Monday.

“We believe this is a tool that's used for intelligence gathering by a nation-state,” Cox said, explaining that numerous people would be needed to sift through the large amounts of data being gathered. “Looking at the code, there's no firm indicators of origin – country or otherwise.”

So far Symantec has identified hundreds of infections, which means that operations involving Regin have been highly targeted, Cox said.

The majority of observed Regin infections, 28 percent, have been in Russia, with 24 percent in Saudi Arabia, nine percent in Mexico and Ireland, and five percent in India, Afghanistan, Iran, Belgium, Austria and Pakistan, according to a whitepaper released by Symantec on Sunday.

At 48 percent, nearly half of observed infections have been private individuals and small businesses, the whitepaper indicates, with Cox explaining that targeted individuals have skill sets and knowledge that are of interest to the Regin operators. 28 percent of observed infections have been telecoms backbone, nine percent are hospitality, and five percent are in the energy, airline and research sectors.

“The attackers compromise GSM Base Station Controllers, which are computers controlling the GSM infrastructure,” Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, told in a Monday email correspondence. “This allows them to control GSM networks and launch other types of attacks, including the interception of calls and SMSes.”

Kaspersky Lab published its own research on Monday – also indicating that the operation is likely supported by a nation-state – and Raiu said that the Global Research and Analysis Team observed 27 victims in 14 countries, with a single victim possibly having several infected computers.

With the exception of Stage 1, Regin's multi-stage architecture involves the use of an RC5 encryption variant – making it tough to detect and analyze – and leads to the execution of dozens of different payloads, Cox said, adding it can erase itself and be updated at any time, as well as communicate with its command-and-control without blatantly raising alarms.

“The malware can collect keylogs, make screenshots, steal any file from the system, and extract emails from MS Exchange servers and any data from network traffic,” Raiu said.

The infection vector has yet to be confirmed, according to the Symantec whitepaper, which states that one computer's log files showed Regin originating from Yahoo! Instant Messenger via an unconfirmed exploit. Targets may also be getting infected by visiting fake websites, Cox said.

“[Regin] is definitely nation-based,” Jasper Graham, former technical director of the NSA and senior vice president of cyber technologies and analytics at Darktrace, told in a Monday email correspondence. “I believe it will take a while for agencies to fact-check and confirm its origin. I have seen software like this before, developed by the Russians and the Chinese, but I cannot confirm who the author of this one is.”

Citing security industry sources, its own technical analysis, and documents leaked by NSA whistleblower Edward Snowden, The Intercept reported on Monday that Regin is being used by U.S. and British intelligence agencies against the European Union and Belgian telecommunications company Belgacom.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.