Home / / Symantec warns of ‘stealth’ malware, Regin

Symantec warns of ‘stealth’ malware, Regin

Saudi Arabia is a leading victim in ‘state-sponsored’ spyware campaign

Symantec warns of ‘stealth’ malware, Regin

Security firm Symantec yesterday said it had discovered five-year-old malware that is so sophisticated that it exhibits "stealth" properties.

Symatec's blog post describes "Regin" as a backdoor-type Trojan that "displays a degree of technical competence rarely seen".

"It has several ‘stealth' features," the company announced in the post. "These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn't commonly used."

Regin also uses a variety of means to covertly communicate with its command-and-control hub, such as ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.

Symantec claims Regin has been used as spyware in surveillance operations against government departments, infrastructure operators, businesses, researchers, and private individuals. Attacks on telecom providers appear to concentrate on getting access to calls routed through their infrastructure.

Regin gets onto target machines by a variety of methods, including via cloned websites. Symantec said that on one computer its researchers found log files showing Regin had originated from Yahoo! Instant Messenger through an unconfirmed exploit.

Symantec also argues that the level of sophistication in the sample suggests it is the work of state-backed authors.

One technique Regin uses to evade detection and analysis, is that of splitting its work into five stages. According to Symantec, if researchers catch the malware in the middle of any one stage they will be unable to determine what its purpose is.

Only in the final stage are attack payloads deployed and the malware is able to selectively deploy modules that are specifically designed for the target. One commonly deployed module set delivers remote access Trojan (RAT) features, such as capturing screenshots, hijacking the mouse, stealing passwords, monitoring network traffic, and recovering deleted files.

While Regin has been around since 2008, it disappeared from the wild in 2011, only to return in 2013. In the samples analysed by Symantec, most victims were in countries that had 9% or less share in Regin attacks. However, two nations stood out as having disproportionate shares: Russian Federation with 28% and Saudi Arabia with 24%. Almost half of all victims were small businesses or private individuals.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.