There’s a new piece of dangerous espionage malware threatening the security of nations around the world, along the lines of Stuxnet.
It’s called Regin, and security firm Symantec says it displays a worrying level of technical competence in its construction.
Apparently the malware, a backdoor Trojan, has been used in spying campaigns against countries around the world since 2008. It’s hidden and encrypted (save for the first stage of infection), and highly customisable, meaning users can imbue it with an extensive range of capabilities to hone and specially tailor any particular attack, and the authors of the software have gone to “great lengths to cover its tracks”.
Regin actually uses a five stage modular approach in its infection routine, and this multi-stage loading system is similar to what is seen with Stuxnet malware.
The malware can carry a range of payloads, with the standard load-out including a number of Remote Access Trojan features such as password stealing, taking screen grabs, monitoring network traffic and so on. As mentioned, though, it’s highly customisable from this base.
Infection is another mystery to some extent, with “no reproducible vector” found, though Symantec says that some infections may have occurred via false versions of well-known websites which users have been tricked into visiting – an old chestnut. As ever, don’t blindly click links, and carefully check and verify any linked URL to make sure there isn’t a slight misspelling in there.
Interestingly, while Regin has been around doing its dirty spying work since 2008, it was withdrawn from action in 2011, but a new version of the malware appeared last year. As well as governments, enterprises and research institutes have been targeted by the malware.
Symantec warned: “The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.”