A leading computer security company says it has discovered one of the most sophisticated pieces of malicious software ever seen.
Symantec says the bug, named Regin, was probably created by a government and has been used for six years against a range of targets around the world.
Once installed on a computer, it can do things like capture screenshots, steal passwords or recover deleted files.
Experts say computers in Russia, Saudi Arabia and Ireland have been hit most.
It has been used to spy on government organisations, businesses and private individuals, they say.
Researchers say the sophistication of the software indicates that it is a cyber-espionage tool developed by a nation state.
They also said it likely took months, if not years, to develop and its creators have gone to great lengths to cover its tracks.
Sian John, a security strategist at Symantec, said: “It looks like it comes from a Western organisation. It’s the level of skill and expertise, the length of time over which it was developed.”
Symantec has drawn parallels with Stuxnet, a computer worm thought to have been developed by the US and Israel to target Iran’s nuclear program.
That was designed to damage equipment, whereas Regin’s purpose appears to be to collect information.
What others are saying about Regin:
An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.
As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
Regin also uses a modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.
Infection vector and payloads
The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.
Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.
There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.
More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.
Regin’s developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing. Symantec was only able to analyze the payloads after it decrypted sample files.
It has several “stealth” features. These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.
Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist. Additional analysis continues and Symantec will post any updates on future discoveries.
The researchers said Regin has been used in what appears to be an ongoing spying operation that started in 2008, stopped suddenly in 2011, and then resumed in 2013.
The campaign was carried out against government organizations, businesses, researchers and private individuals. About 100 Regin infections have been detected, the researchers said, with most — a combined 52 percent — in Russia and Saudi Arabia. The remainder have occurred in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. No infections have yet been detected in the U.S. or China.
Symantec was first made aware of Regin after customers discovered parts of it and sent the code for analysis. “We realized there was more to what was sent us than was readily apparent and went back to investigate further,” said Liam O’Murchu, one of the researchers. Symantec security software can now detect it, he said.
The quality of Regin’s design and the investment required to create it is such that it was almost certainly made by a nation-state, said O’Murchu. But asked to speculate which nation-state, he demurred. “The best clues we have are where the infections have occurred and where they have not,” he said in an interview with Re/code. “We know it was a government that is technically advanced. … This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006.”
It doesn’t take much of a leap to wonder out loud if the U.S. National Security Agency or the Central Intelligence Agency, perhaps working with Israel, might be the source, especially given the list of countries targeted. However, there are other possible sources, including China.