Businesses Should Care About Regin, Other APT Attacks

Beyond its extensive functionality, the Regin Trojan remains a cyberespionage threat the extent of which is shrouded in mystery. Regin is being compared to Stuxnet, Duqu and other advanced persistent threats that were created by nation-state-funded attackers, according to Symantec. One thing is for certain, according to F-Secure, a Finnish antivirus vendor that analyzed Regin, ’This malware for a change, isn't coming from Russia or China.’ One of Symantec's endpoint security rivals, Trend Micro noted that many of the techniques used in Regin can be found in other attacks. But Trend Micro noted that the well-crafted attack carried all the functionality needed for a stealthy and sustained presence on the targeted victims' systems. Researchers at Kaspersky Lab believe some parts of the malware may be a decade old or more. Kaspersky said it uncovered 27 different victims, but noted the wide variety of the organizations targeted by the attackers. The most interesting Regin feature may have been its ability to infiltrate and use a cellular network to carry out an attack, Kaspersky Lab said. While Regin remains a mystery, one thing is clear. Nation-state spying is being carried out by every country with cybercapabilities. Businesses should care, because they often are the casualties of the activity, and the consequences could be a costly data breach, solution providers told CRN.

Regin: Advanced Persistent Threat On Steroids

Security researchers believe Regin has been active as early as 2008. Attacks fell off in 2011, but re-emerged in 2013, according to Symantec. The rootkit was designed to help attackers gain complete control of the victim's system and remain on it for extended periods of time. Components were designed to remain stealthy, evade detection and record as much information as possible about the targeted victim. Those victims were mainly in Russia and Saudi Arabia, leading some security researchers to believe that the U.S. or another Western ally may have been behind the threat.

Regin: An Attack In Six Stages

The designers of the Regin malware architected it to carry out the attack in approximately six stages, according to Symantec. The stages gave the attackers flexibility in delivering the initial infection and bypassing system restrictions and other security defenses, Symantec said. The malware was delivered through instant messaging, email attachments and other common vectors. Symantec said it identified Yahoo Messenger as a delivery method for one of the earliest attacks on record. Drive-by or watering-hole attacks also are believed to be a common attack vector. The criminals behind the campaign study their target and identify a common website frequently visited by employees. Once the website is infected, an attack platform is set up. The platform is designed to specifically identify visitors of employees, and targets a Java flaw, Flash vulnerability or other common software coding error, exploiting it to deliver the malware payload.

Regin: The Victims

Private individuals and small-business owners were Regin's primary target. Internet service providers and supporting telecommunications companies were also frequently attacked. Regin leveraged targets connecting to hotels, restaurants and other systems supporting the hospitality industry. Victims also were in the energy sector, the airline industry and research organizations, Symantec said. The creators of Regin developed a modular framework, adding kernel-level modules and payloads to provide functionality and export routines that fit their targets' systems, and used a delivery mechanism that fell in line with their habits.

Regin's Extensive Capabilities

If Regin were a vehicle, it would be a Cadillac of cyberespionage malware. Symantec researchers said Regin can steal just about anything from its target. Like most malware, Regin begins by taking a snapshot of the file system, processes and memory information, packaging the data up and sending it back to a remote server controlled by the attackers. The malware also has a component that can sniff low-level network traffic. A separate keylogger component records key strokes, and another function can record mouse clicks. A screen-capturing function can be triggered on command. The malware authors designed some advanced capabilities as well. It can identify files that were deleted and has a forensics tool that can capture information, including passwords and other sensitive data temporarily stored in system memory.

Regin's Extensive Supporting Infrastructure

Regin's command-and-control infrastructure supports bi-directional communication, giving attackers the ability to send commands to infected machines, or infected machines to reach out and communicate with the criminals. The infrastructure also was designed to support a peer-to-peer communication protocol to make it easier for infected systems to share commands in the event direct communication from the attackers is disrupted, Symantec said.

Regin's Control Of GSM Networks

Kaspersky Lab, which also uncovered and analyzed Regin, found capabilities within the malware to gain access and control mobile base station controllers. The functionality gives attackers the ability to zero in on individuals based on their cellular traffic. Kaspersky said it found an infection at a large GSM operator in 2008 and saw evidence that the attackers gained access to credentials belonging to engineering accounts. The most recent infection uncovered by Kaspersky was of a modern, 64-bit system, and the company said the threat remains active in 2014. "In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user," Kaspersky said in its report issued this week, warning that attackers could abuse cellular networks to launch other types of threats against mobile users.