Stealthy Regin malware is a 'top-tier espionage tool'

Regin's behavior suggests that the newly uncovered and "highly complex" spying threat came from a nation-state, Symantec reports.

The "highly complex" Regin malware is hard to detect and defend against, says Symantec. CNET

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report released Sunday.

The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it's the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware's design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software.

"Regin's developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years," the company said in a statement. "Even when its presence is detected, it is very difficult to ascertain what it is doing."

The highly customizable nature of Regin, which Symantec labeled a "top-tier espionage tool," allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse's point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases.

Cyberespionage is a sensitive subject, often straining diplomatic relations between countries. The US and China have tussled for years over accusations of electronic spying. The US has accused China's government and military of engaging in widespread cyberespionage targeting US government and business computer networks. China has denied the charges and accused the US of similar behavior targeting its own infrastructure.

Some of Regin's main targets include Internet service providers and telecommunications companies, where it appears the complex software is used to monitor calls and communications routed through the companies' infrastructure. Other targets include companies in the airline, energy, hospitality and research sectors, Symantec said.

The malware's targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India.

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware's structure. All five stages had to be acquired to analyze the threat posed by the malware.

The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.

Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.

"Regin uses a modular approach," Symantec said, "giving flexibility to the threat operators as they can load custom features tailored to individual targets when required."

Featured Video