Sophisticated Regin Attacks Carry Dangerous Capabilities, Symantec Says

A new and dangerous cyberespionage threat called Regin appears to be designed like no other advanced persistent threat, according to Symantec, which said the malware was designed to monitor targeted organizations for extended periods of time.

In a report (.pdf) outlining the Regin Trojan back door, Symantec said the sophisticated threat falls in line with Stuxnet and Duqu malware in terms of sophistication. Regin works in six stages and has targeted a variety of organizations between 2008 and 2011, before disappearing for a short period. A second version re-emerged in 2013.

"Regin is a highly-complex threat which has been used for large-scale data collection or intelligence gathering campaigns,’ Symantec said. "The development and operation of this threat would have required a significant investment of time and resources."

[Related: Security Services Experts: 8 Ways Security Is Hot, But Chaotic, Market]

Sponsored post

The list of organizations targeted by the Regin malware is extensive, and nearly half the victims are private individuals and small businesses. Also included in the attacks are telecommunications providers, and individuals in the hospitality, energy and airline-sector companies. Individuals at organizations in Russia and Saudi Arabia appear to have been targeted the most. The Regin campaign also was detected at organizations in Mexico, Ireland and India, Symantec said.

’Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites, and the threat may be installed through a Web browser or by exploiting an application,’ the company said in its report.

The infection contains a rootkit, capable of gaining access to the underlying operating system processes. Once the system was infected, the attackers obtained complete control of the infected system and could easily evade detection, Symantec said.

Malware dropped onto the system contained network-traffic-capturing functionality and the ability to view SSL-protected traffic. A password stealer could capture Windows passwords and browser credentials. A recording mechanism could capture screenshots, and log keystrokes and mouse clicks.

Nearly all nation states, including Russia, China and the U.S. conduct targeted, sophisticated cyberespionage attacks. Solution providers said Regin, and other advanced persistent threats like it, are a serious concern because organizations typically get caught in the middle of cyberespionage campaigns. For example, Stuxnet, which was said to be designed by the U.S. and Israel to target and disrupt the Siemens industrial control system supporting Iran’s uranium enrichment program, was found on a variety of similar industrial control systems at manufacturers and power-generation facilities globally. The combination of high-profile retail industry data breaches and the targeted attack campaigns are getting organizations to allocate more resources toward security, said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider.

"Generally, awareness of threats of all levels of sophistication are growing across the board," MacBean said in a recent interview. "People at the higher levels of the organization are seeing instances of breaches on such a wide scale and targeted attacks that they are under greater pressure to do something about it."

Symantec researchers could not reveal how the advanced persistent threat gained initial access to the victim organizations. They said Regin was likely delivered through an attack website, Symantec said. Log files analyzed by the researchers uncovered signs that an early exploit was delivered through Yahoo Instant Messenger, according to the report.

Regin stores data files and payloads on disk in encrypted virtual file systems. It is then uploaded to command-and-control operations that are extensive, Symantec said.

Symantec called the backbone of the threat "bi-directional," meaning it's capable of enabling attackers to initiate commands on compromised computers or infected systems to reach out to attackers with information. A peer-to-peer communication was also built into the threat, enabling access and data flow between infected systems, according to the Symantec report.