Michal Paszkiewicz

Blog

Regin trojan


Symantec summary

TLDR:

This malware is crazy. Version 1.0 has been going since 2008. Version 2.0 has been in use from at least 2013, although little is still known about this version, as it has not yet been fully analysed. Symantec's report is based on analysis on version 1.0. It has proven a difficult task to discover what is in the software, as the program is split into stages, each of which decrypts the next stage before executing it. This means it is more difficult for a security expert to discover what lies hidden in every subsequent stage.

Who has been targeted?

Symantec states that the creators of Regin have been able to gain data from:

  • Government organisations
  • Infrastructure operators
  • Businesses
  • Academics
  • Private individuals

Why is it so dangerous?

Regin is modular and allows whoever is behind it to easily deploy new modules. What this means is that they can continuously add new software to change what the malware will actually do in your computer.

Whoever is behind Regin have a lot of specialist knowledge. Symantec has said that 'some of Regin’s custom payloads point to a high level of specialist knowledge in particular sectors, such as telecoms infrastructure software, on the part of the developers'. Most cases of the malware have been found to have been customised for individual cases, meaning the program has been customised to optimise data gathering from each infiltration. The software has been created to cover up what it is they are stealing. Security agencies have not been able to find what information has been stolen in some cases.

What is known, is what kinds of information have been stolen. The software has managed to do the following:

  • Access remote features - take screenshots and take control of mouse functions
  • Steal passwords
  • Monitor network traffic
  • Gather information on processes and memory utilisation
  • Scan for deleted files and retrieve them
  • Monitor traffic to IIS web servers
  • Parsing mail from exchange databases

Who is behind this?

Initial reports suggest that this malware must have originated in the West, since western countries do not largely feature amongst the targets.

Saudi Arabia and Russia are among the most prominent targets, taking up 24 and 28% respectively of the targets.

It has been suggested that this software may have been formed by a government organisation, as the code is very advanced and would have taken a team of highly sophisticated developers many months to complete and even longer to maintain.