The Regin virus appears to be designed for continuous cyber-surveillance by a nation state

Complex cyber-spying malware uncovered by researchers

Highly complex cyber-espionage malware that may have been created by state-sponsored hackers has infected private and public entities across the globe.

The Regin malware, which has been uncovered in a new white paper by cyber-security firm Symnatec, appears to be a back-door-type Trojan designed for continuous monitoring of targets that has been active since 2008.

The virus appears capable of taking screenshots, controlling a user’s mouse cursor, stealing passwords, monitoring network traffic and scanning for and retrieving deleted files, Symantec says, and has been used against government organisations, infrastructure operators, businesses, researchers, and private individuals and telecoms operators.

“Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen,” the firm said in a blog post.

“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state.”

Symantec first became aware of Regin in 2013, but the virus’s modular design, whereby it consists of a number of components that depend on each other to perform attack operations, has made analysis of the threat difficult, as all components must be available in order to fully understand it.

This multi-stage, modular design also makes the virus highly customiseable, according to the report, as it gives operators the flexibility to load custom features tailored to individual targets when required.

Some custom payloads are very advanced and have very specific goals in mind, according to Symantec. One module discovered was designed to monitor network traffic to Microsoft Internet Information Services (IIS) web servers, while another was designed to collect administration traffic for mobile basestation controllers.

Anti-forensics capabilities, such as a custom-built encrypted virtual file system and the use of the uncommon RC5 encryption variant, make the virus particularly stealthy, suggesting its operators designed it to carry out “persistent, long-term surveillance operations”. According to Symantec, even when its presence is detected it is difficult to tell what it is doing.

“In the world of malware threats, only a few rare examples can truly be considered ground-breaking and almost peerless. What we have seen in Regin is just such a class of malware,” said the report.

“It goes to extraordinary lengths to conceal itself and its activities on compromised computers. Its stealth combines many of the most advanced techniques that we have ever seen in use.”

Computers can be infected with the software via faked copies of popular Internet sites. On one computer, investigation by Symantec showed the virus originated from Yahoo! Instant Messenger through an unconfirmed exploit.

A report released by Symnatec claims Ireland has been the site of 9 per cent of confirmed infections and Russia, Saudi Arabia and Mexico have also been heavily affected.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them