Complex Regin Cyber-Spy Malware Steals Data, Leaves Little Evidence
Antivirus firms have investigated the platform for years but failed to find exploits, command-and-control servers or the attacker's identity.Online spies using an espionage platform, known as Regin, have had significant success at infiltrating systems in Russia, Saudi Arabia and other countries, without leaving much trace, according to antivirus firms. Since at least 2008, and perhaps as early as 2003, unknown adversaries have used the Regin platform to create multi-stage malware attacks that have compromised systems and stolen data from telecommunications firms, government officials, multinational agencies, financial and research institutions, and individuals. Antivirus firms used superlatives to describe the platform and its ability to create sophisticated and customized malware to conduct whatever types of operations are necessary. "Regin is an extremely complex piece of software that can be customized with a wide range of different capabilities which can be deployed depending on the target," Symantec stated in a report published on Nov. 23. "Its stealth combines many of the most advanced techniques that we have ever seen in use." Regin is not a specific piece of malware, or a campaign targeting a group of common targets, but a ""platform, which researchers have not seen, to create malware for specific attacks or operations. The malware used in those operations left behind evidence that security researchers used to piece together information about the platform that created them.
The modularity of the code is one advanced technique that made investigations more difficult. Different modules were used to attack each target and were delivered in five stages with all five stages encrypted using a single key. Because different operations used different keys, investigators had to hope to find all five stages on the same system or find systems that had been infected with malware using the same key, Liam O'Murchu, senior development manager for security response at Symantec, told eWEEK.