Finding the Regin malware on your network is sort of like getting an unexpected visit from the U.S. Navy's Seal Team Six. You know somebody very powerful is thinking about you and you wish that you had somehow passed up the honor of its visit.
Like those heavily-armed Navy special operations teams, Regin and its successors don't go out on their own. They are deliberately sent. "Regin is the cyber equivalent of a specialist covert reconnaissance team," said Pedro Bustamante, director of special projects at Malwarebytes in an email to eWEEK.
Regin also has some unusual capabilities, not unlike those covert special operations military units. "The analysis shows it to be highly adaptable, changing its method of attack depending on the target. It also has some very advanced evasion techniques that make it suitable for spending long periods carrying out undercover surveillance."
Bustamante said that the Regin malware is delivered through common exploits, including email and online chat sessions. "The result is that targets would typically have no knowledge of infection, allowing Regin to quietly decrypt its various payloads unseen before moving stealthily through networks in the background."
As bad as that sounds, it's really the good news. Unlike malware created by cybercrime operators, Regin does not spread on its own and significantly, it can cease operations and disappear whenever its controllers tell it to.
It's also different from Stuxnet, which replicated itself in its search for computers that were controlling Iraqi uranium centrifuges, but erased itself when it found that it was in the wrong environment.
Unless you were running a uranium enrichment plant, Stuxnet created problems only because of the network resources it consumed while trying to replicate itself. Eventually it gave up and died out.
Regin, on the other hand, does no such thing. "This remains an extremely targeted campaign," said Costin Raiu, director of the global research and analysis team at Kaspersky Lab in Bucharest. "In total, we counted only 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network," Raiu said.
The 27 target networks were 14 countries including Afghanistan, Germany, Indonesia, Iran, Pakistan, Russia and Syria, according to Kaspersky.
"The number of unique PCs infected with Regin is of course much, much higher. Regin is highly controlled and cannot escape because it doesn't have automatic self-replication code inside. The only time samples appear on multi-scanner services is when victims notice it and upload it for confirmation," Raiu explained.
Raiu noted that the original version of Regin was withdrawn in 2011 and didn't reappear until a new version surfaced in 2013.