‘Elegant’ Regin Malware Linked to Brits, NSA

A sophisticated malware program called “Regin” has been used in systematic spying campaigns against a range of international targets since at least 2008, Symantec reported on Sunday.

Regin is a backdoor-type Trojan with a structure that displays a degree of technical competence rarely seen in malware, according to Symantec.

“Its elegance is comparable to Stuxnet and [it is] much more elegant than Flame,” said Scott Borg, CEO and chief economist with the U.S. Cyber Consequences Unit.

“It’s a beautiful piece of architecture,” he told TechNewsWorld.

Stuxnet, which was used to attack Iran’s nuclear development program, and Flame, which was used to spy on computers in Iran and elsewhere, are widely believed to have been created by the United states and Israel because of their sophistication.

Regin “has a level of sophistication that we never see in cybercriminal types of malware,” Richard Stiennon, chief research analyst with IT Harvest, told TechNewsWorld.

Stealthy Attacker

Regin makes sophisticated use of modular design and encryption, noted Adam Kujawa, a malware intelligent analyst with Malwarebytes.

“The malware keeps itself separated into multiple parts. Each part is heavily encrypted and, most of the time, difficult to identify as being a part of anything,” he told TechNewsWorld.

“In addition, the malware stores operational code within the Windows registry, something that has only been seen a couple of times in the past few months” he pointed out.

Remember, Regin was written in 2008 or earlier.

“The command-and-control communications is also sophisticated and designed to conceal outgoing traffic,” SentinelOne CEO Tomer Weingarten told TechNewsWorld.

However, once the malware is installed, the payloads themselves are straightforward and display the same actions and level of sophistication seen in everyday malware — such as screen grabbing, password stealing and undeleting files.

As sophisticated as Regin is, it’s missing some tricks found in Stuxnet, such as signing its kernel driver to bypass Microsoft PatchGuard in the 64-bit version of Windows.

“To bypass PatchGuard, malware needs a genuine security certificate. This has only been seen in malware a handful of times, and only in the most advanced attacks. Stuxnet is one example,” Weingarten said.

“This could imply that Regin is the work of a smaller government which is not as technologically sophisticated as top-tier nation states,” he reasoned.

Massive Resources Required

On the other hand, Regin took months, if not years, to develop, Symantec estimated, arguing that the level of resources needed to produce the malware indicates that it is a cyberespionage tool used by a nation state.

Symantec stopped short, however, of fingering the nation state most likely to be behind the malware that primarily has infected governments, businesses, infrastructure operations and individuals in Russia, Saudi Arabia, Mexico and Ireland.

“Due to its structure, its method of operation, and the professional approach used in programming it, Regin bears the hallmarks of having been created and used by an organized, well-funded operation, probably for the purpose of espionage and surveillance,” Symantec Security Operations Manager Orla Cox told TechNewsWorld.

“While it is likely authored by a government-sponsored group, Symantec does not have any evidence that would link the creation and use of Regin to a particular state or state agency,” she added.

However, Regin was used by British Intelligence to spy on the Belgian telco Belgacom and by the NSA to spy on European Union computer systems, The Intercept reported.

Reverse Engineering

The origin of Regin may be inferred by the countries where infections have not been found, suggested Timo Hirvonen, a senior researcher with F-Secure.

“There are no victims reported from the FVEY countries,” he told TechNewsWorld.

Those countries — the United States, United Kingdom, New Zealand, Australia and Canada — have a joint agreement on “signal intelligence,” which includes cyberespionage.

While Regin doesn’t pose a threat to Americans at the moment, that could change.

“If Regin is reverse-engineered, there’s a risk that it could be used against our own government to steal sensitive information,” said Chris Messer, vice president of technology for Coretelligent.

“If foreign intelligence agencies or hacking groups are able to reverse-engineer samples of this malware and then use the techniques or code deployed in their own malware, it could be more widely deployed and cause significant damage by stealing sensitive information from Americans that they’re able to infect,” he told TechNewsWorld.

That may be much easier said than done, however.

“This isn’t something people can reverse-engineer,” said the U.S. Cyber Consequences Unit’s Borg. “Reverse-engineering this would be just about as hard as writing it.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels