There’s a new malware in town that has managed to catch the attention of security experts and IT specialists alike. But what’s so special about this sophisticated malware that everybody is talking about it so much? This special malware, known as Regin, is a high-profile sabotage code which is very good at flying under the radar in a near perfect stealth mode. This complex Trojan has went unnoticed since 2008 and has been involved in spying on governments and the general public for years. The malware is highly flexible as it lets hackers deliver customized attacks on targets that include, getting screenshots from the target computer, remotely controlling a hacked system, and put surveillance over network traffic. Regin has been created by adding encryption at different stages of the development process that makes it hard to detect this malware. The malware was first discovered by researchers at Symantec who believe that the back door trojan was created by a nation state to maintain constant surveillance over the local population. For this reason Regin is being viewed to be a part of an online espionage campaign.
Till this point no one has found success in identifying the creator of this malware, so much so that security experts have even failed to zero in on the place or region from where the code might have originated. So far most infections have been reported from different parts of the world, including Russia, Iran, India, Saudi Arabia and many European countries. Another thing that experts know about this malware is that its attacks are not confined to high-profile targets only because it has been known to strike random people and low-value targets as well.
Seemingly Random Hit List
Since its debut, the Regin malware has infected different types of organizations between 2008 and 2011. The older version of this malware disappeared shortly afterwards and resurfaced in 2013. Most attacks have taken place against government organizations, private companies and research institutes. In addition, Regin has also been found to target telecom companies which experts think is being done to gain access to calls that are routed through the entire communication network.
Researchers at Symantec believe that the malware targets individuals and companies by tricking them into visiting fake versions of renowned websites. They say there is a great chance that the malware infects a person’s system either through a web browser or some random application.
Online security experts have also identified numerous Regin payloads. The primary features of this malware revolve around Remote Access Trojan (RAT) that enables the users to capture screenshots, completely controlling the mouse, gaining access to passwords, and recovering deleted files. Advanced payload modules include Microsoft IIS web server traffic monitor.
Stealthy at its Best
The team behind Regin is believed to be extremely dedicated and persistent to be able to create a malware that is both low key and dangerous. The code has been created with such craftsmanship that it is very difficult to follow the movement of this malware or even find out how it might be behaving online. The stealth features integrated into the malware have anti-forensic capabilities, encrypted virtual file system (EVFS), and an alternative encryption to dodge the radar. The other features included in Regin are covert communication with the attacker via ICMP/ping, commands embedded in HTTP cookies, and custom TCP and UDP protocols.
Long Term Potential
After reviewing data on Regin, most security experts have termed it as an extremely complex online threat that is primarily used in covert data collection and intelligence gathering. The malware is believed to have originated from a nation state because this is not an average malicious code because it has been designed to maintain aggressive surveillance on targets at all time. The existence of Regin also points towards the fact that governments would pay any amount of money to develop such tools that could be used to gather intelligence on a varied list of targets, which points towards the long term potential of malware in cyber wars. Till now only some traces of the malware have been discovered and analyzed, while a large part of the code still remains hidden in the ‘infosphere’. For now, online security firms are working to unearth additional traces of the malware to study it in greater detail. The future would expose both the public and governments to similar attacks and security experts would keep fighting the threats in an attempt to win the war against highly specialized malware.