Security researchers at Symantec, the maker of Norton antivirus products, have discovered a sophisticated piece of malicious software spying on businesses, research institutes, governments, and critical telecommunications infrastructure since 2008. The company says it appears a “nation state” likely developed the malware — called Regin, or Backdoor.Regin — but the company didn’t identify any suspected country.
“In the world of malware threats, only a few examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware,” says Symantec in a new white paper released Sunday.
Cybersecurity has become a core concern among IT professionals and the businesses they serve, with dozens of high-profile breaches of major companies and customer data occurring in the past several years.
Regin doesn’t appear to be designed to damage systems, but instead compromises them and gathers information, says the company on its blog. The malware is built to be stealthy, with “anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used.” The result is that even after its presence is detected, it’s difficult to determine what the malware doing.” The company adds “many components of Regin remain undiscovered and additional functionality and versions may exist.”
What business sectors are targeted
It’s been found in 10 countries, apparently targeting key business sectors, including:
48% Private individuals and small businesses
28% Telecommunications backbone
9% Hospitality
5% Energy
5% Airline
5% Research
The report said Regin’s targets were customers of companies, rather than the companies themselves, and about half of its infiltrations were at addresses of Internet service providers. The malware was active from 2008 – 2011, then resurfaced again in 2013. It seems designed “for persistent, long-term surveillance operations against targets,” says Symantec. Regin is flexible and can be customized to include capabilities specific to a target. Symantec says its development appears to have taken “months, if not years” and that “its authors have gone to great lengths to cover its tracks.”
Complex, flexible, customizable malware
Symantec says Regin deploys in five stages, each “hidden and encrypted, with the exception of the first stage … each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”
The malware’s modular approach also enables it to load features specific to certain targets, similar to other malware like Flamer and Weevil (The Mask). Some Regin features were also similar to Duqu malware, and the computer worm Stuxnet
IT professionals take note: Symantec describes 26 payload types, many of which have multiple functions that may target the kernel of the operating system and user functions, including:
- Network packet capture
- Password stealing which seems to be mainly around Windows Explorer and Internet Explorer
- Gathering system data and resource usage including drives and shares, licence keys, services, system auditing rules and policies and installed software.
- UI manipulation which includes capturing screenshots and logging keystrokes.
- File exploration and forensic capabilities such as browsing directories, reading and writing files, recovering deleted files and computing file hashes.
Symantec says it’s clear Regin is designed for spying — it can capture passwords, take screenshots, take control of mouse functions, monitor network traffic, collect data from computer memory, and even retrieve deleted files. In a final note of caution, Symantec notes “many components of Regin have still gone undiscovered and additional functionality and versions may exist.”
Read more detail in the Symantec white paper “Regin: Top-tier espionage tool enables stealthy surveillance.”
–
Who is John Paulsen? A former small-business leader myself, I feel your pain (and joy) and hope you’ll enjoy the blog. I launched and ran a well-regarded production company in San Francisco with a team of 9 brilliant, hard working people. I learned to manage a wide array of tasks a small business must handle — business strategy, facilities design, HR, payroll, taxes, marketing, all the way down to choosing telecom equipment and spec’ing a server system to help my team collaborate in real-time on dense media projects from multiple production rooms. I’ve partnered with and learned from dozens of small business owners.
