The cyber security firm Symantec on Sunday revealed that a malicious new piece of software is collecting information on individuals, companies, and government entities without their knowledge.
The malware, called Regin, is considered to be a mass surveillance and data collection tool (sometimes referred to as “spyware”). Its purpose and origin is still unclear, Symantec said, but researchers believe that the program is the work of a nation-state.
“We believe Regin is used primarily for espionage,” said Liam O’Murchu, a security researcher at Symantec. “We see both companies and individuals targeted. The ultimate goal is to listen in on phone calls or something like that. [Regin’s operators] target individuals and spread the attack to find whatever it is they’re looking for. All of these things together make us think that a government wrote it.”
Symantec said Regin (pronounced “re-gen,” as in “regenerate”) monitors its targets with a rarely-seen level of sophistication. Internet service providers and telecommunications companies make up the bulk of the those that are initially infected, researchers said. Regin then targets individuals of interest—in the hospitality, energy, research, and airline industries, among others—that are served by those ISPs. Regin’s operators continue to use infected companies as a springboard to gain access to more individuals. Once they gain access, they can remotely control a person’s keyboard, monitor Internet activity, and recover deleted files.
More than half of observed attacks have targeted Russia and Saudi Arabia, Symantec said. The rest are scattered across Europe, Central America, Africa, and Asia. The initial infection can come from a wide variety of sources, such as copies of popular websites or web browsers and USB drives that have been plugged into contaminated systems.
Regin has five attack stages. It begins with an initial “drop,” also called a Trojan horse (or “backdoor”) breach, that allows it to exploit a security vulnerability while avoiding detection. The first stage deploys what is called a loader, which prepares and executes the next stage; the second stage does the same to complicate detection. The third and fourth stages, called kernels, build a framework for the fifth and final stage, called the payload. That’s when it can wrest control of a computer or leap to a new victim.
Each stage prepares and executes the next, rather than deploy from a common framework. It’s similar in concept to Russian nesting dolls. Regin’s distributed structure makes it difficult for cyber security researchers to identify it without capturing information about all five stages.
The malware is made up of a system of customizable modules so that it may collect the information it needs across a number of different victims. For example, one Regin attack might capture a password from a hotel clerk’s computer while another attack may obtain remote control of another computer’s keyboard for purposes unknown. Each module is customized for one task or system, making detection and prevention of a comprehensive Regin attack difficult.
“One of the problems we have with analyzing is we don’t have all the components,” O’Murchu said. “You only get the modules set on that [particular] victim. But we know there are far more modules than what we have here. We don’t have enough information to understand. On top of that, it’s coded in a very advanced way to leave a small footprint. Anything they leave behind is encrypted. Each part is dependent on having all the parts.”
This kind of operational complexity is typically reserved for a state or a state-sponsored actor, Symantec said. Only a handful of malware programs to date have demonstrated such sophistication. In 2012, the Flamer malware used the same modular system to hit targets in the West Bank of Palestine, Hungary, Iran, and Lebanon, among other countries. Regin’s multi-stage attack pattern operates similarly to the Duqu malware and its descendent Stuxnet, the malware responsible for the disruption of Iranian nuclear facilities in 2010. O’Murchu said Regin is part of a disquieting trend of government-written and government-enacted malware.
“We often say that Stuxnet opened Pandora’s box,” O’Murchu says. “Whether that is because we know what to look for now or because there has been a genuine increase since Stuxnet is up for debate, but what we can say is that yes, we now know about a lot more scary government malware than before. It is far more pervasive, it is embedded in more organizations than we have ever seen, it is more organized than ever, and it is more capable than ever. I would say there has been an explosion in government related malware, and it doesn’t seem to be going away anytime soon.”
What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.
“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”