Symantec recently reported on an advanced malware tool known as Regin or Backdoor.Regin that has been showing up around the globe. A post that appeared on the company's blog on Sunday described Regin as “An advanced spying tool [that] displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.”
According to Symantec, capabilities include capturing screenshots, stealing passwords, taking control of the mouse’s point-and-click function, monitoring network traffic and gathering information on processes and memory use. It can also search for and retrieve deleted files.
This malware has been around since 2008, prompting at least one insider to question why Symantec has waited until now to make "a big deal about this." Part of the reason may be the design of the tool, making it "highly suitable for persistent, long-term surveillance operations" and the fact that it was withdrawn in 2011 but resurfaced again from 2013 onward.
This report provides a few details on how the spy tool functions:
Symantec described the malware as having five stages, each "hidden and encrypted, with the exception of the first stage." It said "each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat."
Regin also uses what is called a modular approach that allows it to load custom features tailored to targets, the same method applied in other malware, such as Flamer and Weevil (The Mask), the antivirus company said. Some of its features were also similar to Duqu malware, uncovered in September 2011 and related to a computer worm called Stuxnet, discovered the previous year.
As you may recall a Stuxnet worm was used to damage Iran's nuclear centrifuges not so long ago in an effort to hamper nuclear developments in that country. Unlike Stuxnet that is designed to cause serious damage, Regin has the capability of carrying out extensive data-theft while masking as Microsoft software. It is also highly customizable, depending on the requirements of the operation.
There is also the question of where Regin originated. It seems very likely it was developed by Western intelligence. A number of clues point in that direction. For example none of the Regin attacks have been directed at US or Canadian targets. Countries most heavily impacted by the malware hold varying degrees of interest for American/allied intelligence... Pakistan, Saudi Arabia, Mexico, Russian Federation, Iran.
The two countries most targeted are Saudi Arabia (24%) and Russia (28%). Ireland with a surprising 9% share of the infection pie seems at first glance a bit of an anomaly, however as an article in Extremetech notes "... many corporations have taken advantage of low corporate taxes there [Ireland] to shed global tax burdens and reduce exposure" - so doubtless making it a target for this type of operation.
A post on Common Dreams notes that "Mikko Hypponen, chief research officer at F-Secure, told Fox-Brewster that his firm does not believe Regin was made by Russia or China, "the usual suspects." According to Fox-Brewster, this leaves the U.S., U.K. or Israel as the "most likely candidates," an assumption that Symantec threat researcher Candid Wueest said was "probable." "
A post on The Intercept identifies the owners of the cyberprints behind a number of European operations. The authors of - Secret malware in European Union attack linked to U.S. and British intelligence - leave no doubt who was behind sophisticated Regin-cyber-attacks that went after European Union targets and a Belgian telecommunications company.
Regin was found on infected internal computer systems and email servers at Belgacom, a partly state-owned Belgian phone and internet provider, following reports last year that the company was targeted in a top-secret surveillance operation carried out by British spy agency Government
Communications Headquarters, industry sources told The Intercept.
The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency.
Read the full Intercept story - here.