Security Researchers have founded a highly advanced, sophisticated malware was used to spy on a wide-range of international targets including governments, infrastructure operators and other high-profile individuals since 2008. According to the security researchers at antivirus maker company Symantec Corp , the malware, dubbed “Regin“, is said to be more sophisticated than Stuxnet and Duqu.
Believed to be Developed By Nation State
The company believes that the sophisticated Regin malware is developed by a wealthy “nation state” and is a primary cyber spy tool of a nation state because of the financial clout needed to produce code of this complexity with several stealth features to avoid detection. But, the antivirus company Symantec didn’t identify which country was behind this.
“Symantec Security Response team said that, It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state,” .
“The antivirus company Symentec did not name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011 with a since decommissioned version of the malware that re-surfaced after 2013.”
Regin Malware uses a modular approach allowing it to load features that exactly fit the target, enabling a customized spying. The malware’s design makes it highly suited for persistent, long-term mass surveillance operations against targets, says the antivirus company.
The notorious malware’s main targets include ISP’S ( Internet service providers ) and telecommunications companies, where it appears the Trojan is used to monitor calls and communications routed through the firm’s infrastructure. Other targets include organisations in hospitality, health sectors, energy, airline and research.
“Regin is a highly complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources,” Antivirus firm Symantec said.
Customizable Five Stage Structure
Regin’s highly customizable structure allows large-scale remote access Trojan capabilities, including password and data theft, capturing screenshots from infected computers, hijacking the mouse’s point-and-click functions, monitoring network traffic and analyzing email from Exchange databases.
“Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against private individuals, government organisations, infrastructure operators, researchers, and businesses,” Symantec said.
In order to remain anynomous, Regin malware is organized into five layers, each “hidden and encrypted, with the exception of the first stage.” It’s a multi-stage attack and each stage reveals the overall attack. Executing the first stage starts a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on.
The whole picture of the Regin malware only emerges when you have acquire all five stages because each stage provides little information on the complete package. Regin Malware contains dozens of payloads, including seizing control of an infected computer’s mouse, code for capturing screenshots, monitoring network traffic, stealing passwords, and recovering deleted files.