Complex Regin Cyber-Spy Malware Steals Data, Leaves Little Evidence

Antivirus firms have investigated the platform for years but failed to find exploits, command-and-control servers or the attacker's identity.

espionage platform

Online spies using an espionage platform, known as Regin, have had significant success at infiltrating systems in Russia, Saudi Arabia and other countries, without leaving much trace, according to antivirus firms.

Since at least 2008, and perhaps as early as 2003, unknown adversaries have used the Regin platform to create multi-stage malware attacks that have compromised systems and stolen data from telecommunications firms, government officials, multinational agencies, financial and research institutions, and individuals. Antivirus firms used superlatives to describe the platform and its ability to create sophisticated and customized malware to conduct whatever types of operations are necessary.

"Regin is an extremely complex piece of software that can be customized with a wide range of different capabilities which can be deployed depending on the target," Symantec stated in a report published on Nov. 23. "Its stealth combines many of the most advanced techniques that we have ever seen in use."

Regin is not a specific piece of malware, or a campaign targeting a group of common targets, but a ""platform, which researchers have not seen, to create malware for specific attacks or operations. The malware used in those operations left behind evidence that security researchers used to piece together information about the platform that created them.

The modularity of the code is one advanced technique that made investigations more difficult. Different modules were used to attack each target and were delivered in five stages with all five stages encrypted using a single key. Because different operations used different keys, investigators had to hope to find all five stages on the same system or find systems that had been infected with malware using the same key, Liam O'Murchu, senior development manager for security response at Symantec, told eWEEK.

"It did thwart things quite a bit, not because the encryption was difficult to get by but because you have to recover all these stages at the same time in order to decrypt them," he said. "The key changes from version to version and from sample to sample."

Symantec first began investigating malware connected to the Regin platform in the fall of 2013. The company was not the first. Russian antivirus firm Kaspersky Lab became aware of the attack tool in the spring of 2012 while F-Secure claims it had researched the attack since 2009.

The Regin platform stores code in encrypted virtual file systems to better hide the information from security software. The platform also creates malware that can monitor the GSM networks used by cellular phones.

"In today's world, we have become too dependent on mobile phone networks, which rely on ancient communication protocols with little or no security available for the end user," Kaspersky Lab stated in its analysis. "Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users."

The sophistication of its techniques puts Regin in the same category, if not above, the likes of Stuxnet, Flame and Snake/Turla, three of the most advanced threats seen to date, according to security firm F-Secure.

"As always, attribution is difficult with cases like this," F-Secure stated. "Our belief is that this malware, for a change, isn't coming from Russia or China."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...