Espionage Malware Alert Sounded'Regin' Has Stuxnet-Like Capabilities, Researchers Say
Stealth espionage malware has been used to target government agencies, businesses and research institutes, as well as a variety of private individuals and small businesses, according to new research released by information security vendors F-Secure, Kaspersky Lab and Symantec.
The researchers have declined to speculate about what nation is behind the attacks, and none of the security firms' separate reports reveal precisely which businesses or organizations have been targeted. But Symantec says that the greatest number of related infections have been found in Russia and Saudi Arabia.
While the malware family used in the attacks - known as both Regin and Regis - was first discovered in the wild in 2008, and may even date to 2003, multiple information security researchers are warning that more advanced versions of the malware have been spotted in long-running attack campaigns.
Since 2013, security experts say the malware has been getting makeovers that make it more difficult to detect, because it now uses an expanding array of modules that provide attackers with a wide variety of targeted capabilities, including remote access Trojan-like features, such as keystroke logging and capturing screenshots; a Microsoft IIS Web traffic monitor; and a GSM network base station sniffer. Security vendors named the malware for its ability to load its attack modules in the registry of an infected PC.
"We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe," says Antti Tikkanen, director of security response at Finnish anti-virus firm F-Secure. The rootkit, however, was crashing the Windows system it had infected, triggering a blue screen of death - and leading researchers to identify the malware as the source of the crash.
Since then, however, the malware's sophistication has increased significantly, Tikkanen says. Today, based on its complexity, "we would place Regin in the same category of highly sophisticated espionage campaigns together with the likes of Stuxnet, Flame and Turla/Snake," he says.
Anti-virus vendor Kaspersky Lab, which has recovered samples of Regin that appear to date to 2003, likewise describes recent versions of the malware as "one of the most sophisticated attack platforms we have ever analyzed," citing its GSM [Global System for Mobile communications] network monitoring capabilities.
Tough To Spot
Over time, Regin's developers have continued to make the malware more difficult to detect. "Regin's developers put considerable effort into making it highly inconspicuous," information security researchers at Symantec say in a blog post. Notably, the malware can covertly communicate with attackers' command-and-control servers using a number of different techniques, including "embedding commands in HTTP cookies," using custom TCP or UDP protocols, and using the ICMP/ping networking protocol, which is normally used by devices to relay error messages. The malware's developers have also imbued it with a custom-built virtual file system that's encrypted, as well as the ability to use an obscure variant of the RC5 symmetric-key block cipher, all of which makes it difficult to understand the inner workings of the malware and related attack campaigns.
Once Regin infects a system, attackers can customize their attack by pushing a variety of add-on modules to the system, including the aforementioned RAT-like capabilities, which include seizing control of the PC's mouse and point-and-click capabilities, monitoring network traffic and stealing passwords. The use of such modules has also been seen before. "This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil - The Mask - while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats," Symantec says.
Such capabilities are indicators that the tool was designed to conduct long-term reconnaissance, Symantec says. "Its low-key nature means it can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing," Symantec says. That means it would be tough to spot the suspicious behavior based just on network or traffic monitoring. Symantec's researchers say they had to decrypt and study many of the attack modules before they could ascertain their purpose.
The malware appears to be so stealthy that security experts still don't know exactly how attackers have been sneaking it onto victims' PCs. Indeed, Symantec says the latest version of Regin uses a six-stage attack, but it has yet to recover the dropper file used in the initial - "stage 0" - phase, which installs the actual malware executable. But the security firm says it suspects that the malware has been installed after tricking a victim into visiting a spoofed website, or downloading a malicious copy of an otherwise legitimate application, or else via social media tools. "On one computer, log files showed that Regin originated from Yahoo Instant Messenger through an unconfirmed exploit," Symantec says.
"One of the first steps sophisticated attackers do is to cover up how they infiltrate a system," says Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "The fact that the attackers behind Regin have been so successful in doing this would indicate they have a high level of capability and competency."
Regin's sophistication suggests that it was developed by a well-financed team. "It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks," Symantec says. "Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state."
The list of Regin's targets may hold clues as to the identify of the attacker. Symantec says that of the approximately 100 Regin infections it's seen to date, 28 percent were in Russia, and 24 percent in Saudi Arabia, followed by Mexico and Ireland, each with 9 percent. Meanwhile, Afghanistan, Austria, Belgium, India, Iran, and Pakistan each accounted for 5 percent of all infections. A Symantec spokeswoman says there were virtually no U.S. or U.K. infections.
All three of the information security firms that have released Regin research declined to speculate as to which nation may have built the malware. "As always, attribution is difficult with cases like this," F-Secure's Tikkanen says. And based on F-Secure's own analysis of the attack campaign, "our belief is that this malware, for a change, isn't coming from Russia or China," he adds.
But some security experts wonder if the list of potential nations that could be responsible for Regin should include the United States, given that it's suspected of launching the cyberweapons program that built both Flame and Stuxnet, the latter of which dates to 2007.
Ronald Prins, a security expert at Fox IT - which was hired to investigate a Regin outbreak at Belgian telecommunications firm Belgacon - says he believes the malware to be the work of U.S. and U.K. intelligence agencies. "Having analyzed this malware and looked at the [previously published] Snowden documents," Prins tells The Intercept, "I'm convinced Regin is used by British and American intelligence services."
Regardless of who's behind Regin, Honan says the latest research into the malware only reinforces the need for would-be victims to put appropriate defenses in place. "If your organization has a certain profile to make it a high-value target, such as government agencies, companies with high-value research, or access to sensitive information, then you will be targeted by criminals and indeed by spies from other nations," he says. "This means that your security defense has to be a very comprehensive, defense-in-depth strategy. If you are simply relying on firewalls and anti-virus software then you will not be able to effectively defend against these type of attacks."