Open Navigation

Regin Spying Software Has Been Attacking Governments And Corporations Since 2008

John Biggs 9 years

Symantec has found an unusual new threat called Regin aka Backdoor.Regin. The software, which is essentially a very powerful Trojan Horse, appears to have been circulating in the wild since 2008 and has been hitting governmental, industrial, and individual systems with impunity, using sophisticated encryption and targeting systems to spy on targets.

The anti-virus company has released a white paper on the new threat, noting its similarity to the specially targeted Stuxnet virus that attacked Iranian nuclear reactors.

Is the tool still a threat? As far as Symantec can tell the original Regin virus disappeared in 2011 only to reappear in 2013. The virus was able to hide itself completely on host computers and it wasn’t until Symantec reverse-engineered its packets that they were able to tell the scope and danger associated with the virus. It seems that it is completely modular, allowing the controllers to use the product to steal information and spy on network traffic.
fig1-architecture
From the report:

Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.

Recode reported that the software has special payloads targeting airline and energy industries. It seems to have first spread in infected payloads hidden in legitimate software.