Symantec warns of ‘stealth’ malware, Regin
Saudi Arabia is a leading victim in ‘state-sponsored’ spyware campaign
Security firm Symantec yesterday said it had discovered five-year-old malware that is so sophisticated that it exhibits "stealth" properties.
Symatec's blog post describes "Regin" as a backdoor-type Trojan that "displays a degree of technical competence rarely seen".
"It has several ‘stealth' features," the company announced in the post. "These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn't commonly used."
Regin also uses a variety of means to covertly communicate with its command-and-control hub, such as ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.
Symantec claims Regin has been used as spyware in surveillance operations against government departments, infrastructure operators, businesses, researchers, and private individuals. Attacks on telecom providers appear to concentrate on getting access to calls routed through their infrastructure.
Regin gets onto target machines by a variety of methods, including via cloned websites. Symantec said that on one computer its researchers found log files showing Regin had originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Symantec also argues that the level of sophistication in the sample suggests it is the work of state-backed authors.
One technique Regin uses to evade detection and analysis, is that of splitting its work into five stages. According to Symantec, if researchers catch the malware in the middle of any one stage they will be unable to determine what its purpose is.
Only in the final stage are attack payloads deployed and the malware is able to selectively deploy modules that are specifically designed for the target. One commonly deployed module set delivers remote access Trojan (RAT) features, such as capturing screenshots, hijacking the mouse, stealing passwords, monitoring network traffic, and recovering deleted files.
While Regin has been around since 2008, it disappeared from the wild in 2011, only to return in 2013. In the samples analysed by Symantec, most victims were in countries that had 9% or less share in Regin attacks. However, two nations stood out as having disproportionate shares: Russian Federation with 28% and Saudi Arabia with 24%. Almost half of all victims were small businesses or private individuals.