Regin – who is behind it and what does it mean

Earlier today, Symantec published a white paper describing Regin – sophisticated malware that has been quietly infiltrating and monitoring systems pretty much undetected since 2008. The methods used by Regin to avoid detection are so sophisticated that researchers place it in the realm of Stuxnet and conclude that it is developed by a nation-state.

Characteristics of Regin include:
– Five-stage loading architecture. Only the first stage (the dropper) is temporarily visible as code in a file on the system – all other stages are encrypted data blobs. The dropper has not been found by researchers yet.
– Customised payloads dependent upon the specific target (50 different payloads have been found in 100 infections).
– Standard Remote Access Trojan (RAT) features such as capturing screenshots and taking over mouse control.
– Bi-directional communication with the Command and Control (C&C) server
– Considerable effort has been put into hiding the files. The small dropper file is used to trigger the download of other elements, all of which are encrypted and carefully hidden. The dropper file is then deleted – leaving no files with unencrypted code on the infected system.

The million-dollar question is which nation-state created Regin?

If we examine known infections for clues as to origin, Symantec reveal that incidents have been found mainly in Russia and Saudi Arabia, and also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. Most targets have been private individuals and small firms, followed by Telecoms, hospitality, energy, airlines and the research sector. Regin payloads in the telecommunications industry have focussed on obtaining data on phone calls.

F-Secure believe that Regin did not originate in either Russia or China. Symantec believe Regin comes from a Western country. I suspect that a strong clue to Regin’s origin lies in the fact that the staged loading architecture is the same as used in the Duqu/Stuxnet family. It is highly suspected that Stuxnet originated mainly from the US/Israel, however we now know that a lot of the Stuxnet work was done by the UK and Germany. I suspect that the US were not involved in Regin as they would have prevented Symantec from publishing the whitepaper today. So who does that leave as possible origin countries? My surmising leaves the UK and/or Germany as most likely. Even though much telecommunication data is freely available to Five Eyes countries such as the UK, data on telecommunications in Russia and Saudi Arabia would be lacking and be a particularly useful and sought-after asset by the UK or German intelligence for example.

Countries such as Mexico and Ireland would not be priorities for infection by our prime suspects. However, it is quite possible that some infections have been deliberately made to confuse – a tactic commonly used by spy activities of nation-states (see for example the debate around the bombing of the city of Coventry during WWII).

Regin required considerable resources to develop. It also would require high resources to maintain and use including manual intervention – it is not a wide-scale automated attack, but requires manual tailoring. It is likely that the initial infiltration to deposit the dropper on the target system involves spear phishing tactics.

It is inevitable that the sophisticated hiding techniques of Regin will find their way into malware attacks by criminal gangs as well as espionage activities from other nation-states such as China. We may well soon find ourselves in a world where no-one is confident that their systems are not infected and their every digital move is being monitored and surveilled – all individuals, organisations and government will not know whether their systems have been infected by sophisticated malware which is so difficult to detect.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: