Symantec sheds light on stealthy Regin malware

A backdoor-type Trojan, called Regin has been targeting businesses and individuals around the world and has managed to elude malware researchers for at least the last eight years, according to security software vendor Symantec.

The company described Regin as a customizable piece of malware which provides its controllers with a robust framework for launching mass surveillance particularly for “spying operations against infrastructure operators, businesses, private individuals and government organizations.

A Symantec whitepaper described Regin as a five-staged threat with each stage “hidden and encrypted, with exception of the first stage. Multi-stage loading has been used in other malware such as the Duqu/Stuxnet family of threats.

When the first stage is executed it triggers the decryption and loading of each subsequent stage.

malware, trojan, IT security, Symantec, Regin

Very little information about the malware can be found in each individual stage. All five stages need to be acquired in order to analyze the malware.

Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist,” the blog said.

The malware also uses a modular approach that allows it to load features specifically tailored for a certain target. This is a method seen in other malware families such as Flamer and Weevil.

Regin has several stealth features including an encrypted virtual files system (EVFS) and alternative encryption in the form of a variant of RC5. The malware also covertly communicates with the attacker via Internet Control Message Protocol (ICMP/ping), embedding commands in hypertext transfer protocol (HTTP) cookies as well as custom transfer control protocol (TCP) and user datagram protocol (UDP).

The top targets of Regin have been:

  • Private individuals and small businesses – 48 per cent
  • Telecom backbones – 28 per cent
  • Hospitality businesses – 9 per cent
  • Research organizations – 5 per cent
  • Airlines – 5 per cent and
  • Energy companies – 5 per cent

Most infections were seen in:

  • The Russian Federation – 28 per cent
  • Saudi Arabia – 24 per cent
  • Mexico and Ireland – 9 per cent

“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks,” according to Symantec. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads