Symantec has discovered Regin, a highly advanced piece of malware that has been used for mass surveillance on governments, infrastructure operators, businesses and individuals for more than 6 years. At the moment, ten countries have been identified in which Regin operates. One of the countries is Pakistan.
The security firm said that the technical ability in the design of the bug has rarely been seen before and it equated the complexity of Regin to Stuxnet. The bug was built for long term intelligence gathering and uses some of the most advanced techniques known to spy and conceal itself.
The complexity, skills and level of resources required to create Regin can only mean that it is one of the main tools used to spy by a major nation
The timeline of Regin suggests that it started spying in 2008 and continued till 2011. After that, it disappeared until a new version came up in 2013. About 50% of the infections targeted small business and individuals while attacks on telecom operators were designed to get access to the calls being routed through their systems.
Regin is a highly versatile bug and it can customize itself according to its target. It has dozen of payloads and once installed, it can do everything from taking screenshots, steal private information, monitor traffic as well as recover deleted files. The flexible nature and advanced knowledge of some fields required to create the payloads is further evidence of the resources put into Regin.
The worrying thing is that Symantec has not been able to determine how Regin infects computers. Furthermore, even when it has been detected, it is difficult to find out what it is actually doing. In many cases, Symantec wasn’t even able to retrieve the files containing the stolen data. That is because Regin uses advanced techniques to avoid detection.
We don’t know the full capabilities, method of infection or how to determine what Regin is doing once it is detected
Those include a custom built virtual file system (EVFS) and a variant of an uncommon type of encryption called RC5. To communicate with the attackers, it uses a variety of means that range from pings, embedded commands in HTTP cookies and custom TCP and UDP protocols. What this all means is that Regin could be spying for years and go undetected.
Overall, the discovery of Regin is groundbreaking. It has gone undetected for years and everyone from powerful individuals to governments and corporations have been targeted. We still don’t know the full extent of what it can do or even how to get rid of it. But now that Symantec has gone public with the discovery, we can only hope researchers and other security firms are able to find out more.
If you want to read the white paper that details the analysis of Regin, you can see it here.