Regin – Highly advanced spying tool discovered by Symantec

Pierluigi Paganini November 24, 2014

Symantec has uncovered the backdoor Regin, a highly advanced spying tool used in cyber espionage campaigns against governments and infrastructure operators.

Backdoor Regin, is the name assigned by the experts at Symantec to an advanced spying tool that has been used in cyber espionage campaigns against governments, infrastructure operators, private companies, researchers, and private individuals.

Regin appears as a highly sophisticated malicious code, experts revealed that it has a degree of technical competence rarely seen, it has some resemblance with other state-sponsored malware like Flame,Duqu and the popular Stuxnet. Also in this case, Regin has a modular structure that makes the malware a very flexible agent that could be used by operators to tailor a campaign to individual targets, the effort necessary for its development appears significant, the experts speculate that it required months or years to be completed.

The circumstance led researchers to believe that Backdoor Regin was developed by a nation-state to spy on a wide range of international targets across several industries.

The evasion technique that allowed Regin backdoor to go undetected for years exploits a multi-staged process and each stage is hidden and encrypted. Regin is organized into five stages, each of which is encrypted except for the first one that implements the initial loader. Executing the first stage triggers a domino chain in which at each step the stage is decrypted and executed, and that in turn decrypts the successive stage, and so on.

As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage.  Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.” states the blog post from Symantec.

Regin Backdoor 5 stages Symantec 2

Regin Backdoor 5 stages Symantec

The experts have identified dozens of different payloads that are used to spy on the infected machine, the principal functions implemented by the authors of Regin include code for stealing passwords, monitoring network traffic, capturing screenshots, seizing control of the target’s mouse and recovering deleted files.

Some payloads appear to be tailored to specific targets, for example, one module was designed to sniff the traffic of mobile telephone base station controllers and another to monitor the traffic of a Microsoft IIS server.

The disconcerting aspect of the story relates to the dating of the Backdoor Regin, Symantec experts believe it was a framework that threat actors used in multiple campaigns that date back to 2008 or several years earlier. Regin is known to have been active until 2011. The name Regin was assigned by Microsoft to the underlying trojan, the malware resurfaced in 2013 when the researchers at Symantec identified it.

“Essentially, what we think we’re looking at is different campaigns where in one infection they needed to sniff your keyboard whereas in another infection they wanted grab the user name and password of the admin connected to a base station controller,” Liam O’Murchu, manager of operations for Symantec Security Response, reported to Ars.

Analyzing the distribution of targeted industries it is possible to note that Regin was used to compromise Telecom Backbone in 28 percent of the attacks, the experts believe that the operators managing the cyber espionage campaign were interested to spy on specific customers of the targeted companies.


Regin Backdoor targets

The infections of Backdoor Regin detected by Symantec are also geographically diverse, attacks were observed in mainly in ten different countries, Russian Federation (28%), Saudi Arabia (24%), Ireland (9%) and Mexico (9%) lead the list.

The investigation is still ongoing, researchers at Symantec are aware of only about 100 infections, but a so powerful platform was surely used in a larger number of targeted attacks still uncovered. The researchers haven’t yet identified the command and control servers the attackers used, the knowledge of the control infrastructure provides to the experts a huge quantity of data that could support further analysis.

“Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.  Additional analysis continues and Symantec will post any updates on future discoveries” states the post.

Stay tuned for further information.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Backdoor Regin, cyber espionage)

[adrotate banner=”12″]

you might also like

leave a comment