A new and dangerous cyberespionage threat called Regin appears to be designed like no other advanced persistent threat, according to Symantec, which said the malware was designed to monitor targeted organisations for extended periods of time.
In a report (.pdf) outlining the Regin Trojan back door, Symantec said the sophisticated threat falls in line with Stuxnet and Duqu malware in terms of sophistication. Regin works in six stages and has targeted a variety of organisations between 2008 and 2011, before disappearing for a short period. A second version re-emerged in 2013.
"Regin is a highly-complex threat which has been used for large-scale data collection or intelligence gathering campaigns,” Symantec said. "The development and operation of this threat would have required a significant investment of time and resources."
The list of organisations targeted by the Regin malware is extensive, and nearly half the victims are private individuals and small businesses. Also included in the attacks are telecommunications providers, and individuals in the hospitality, energy and airline-sector companies. Individuals at organisations in Russia and Saudi Arabia appear to have been targeted the most. The Regin campaign also was detected at organisations in Mexico, Ireland and India, Symantec said.
“Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites, and the threat may be installed through a Web browser or by exploiting an application,” the company said in its report.
The infection contains a rootkit, capable of gaining access to the underlying operating system processes. Once the system was infected, the attackers obtained complete control of the infected system and could easily evade detection, Symantec said.
Malware dropped onto the system contained network-traffic-capturing functionality and the ability to view SSL-protected traffic. A password stealer could capture Windows passwords and browser credentials. A recording mechanism could capture screenshots, and log keystrokes and mouse clicks.
Nearly all nation states, including Russia, China and the US conduct targeted, sophisticated cyberespionage attacks. Solution providers said Regin, and other advanced persistent threats like it, are a serious concern because organisations typically get caught in the middle of cyberespionage campaigns.
For example, Stuxnet, which was said to be designed by the US and Israel to target and disrupt the Siemens industrial control system supporting Iran’s uranium enrichment program, was found on a variety of similar industrial control systems at manufacturers and power-generation facilities globally.
Symantec researchers could not reveal how the advanced persistent threat gained initial access to the victim organisations. They said Regin was likely delivered through an attack website, Symantec said. Log files analysed by the researchers uncovered signs that an early exploit was delivered through Yahoo Instant Messenger, according to the report.
Regin stores data files and payloads on disk in encrypted virtual file systems. It is then uploaded to command-and-control operations that are extensive, Symantec said.
Symantec called the backbone of the threat "bi-directional," meaning it's capable of enabling attackers to initiate commands on compromised computers or infected systems to reach out to attackers with information. A peer-to-peer communication was also built into the threat, enabling access and data flow between infected systems, according to the Symantec report.