Symantec said the back door-type Trojan “is a complex piece of malware whose structure displays a degree of technical competence rarely seen”.
Regin infections have been observed in a variety of organisations between 2008 and 2011, “after which it was abruptly withdrawn”, Symantec said. “A new version of the malware resurfaced from 2013 onwards.”
“Almost half of all infections targeted private individuals and small businesses. Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure,” Symantec said.
The malware is “customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals”, Symantec said.
According to Symantec, it is likely that the development of Regin “took months, if not years, to complete and its authors have gone to great lengths to cover its tracks”. The “capabilities and the level of resources behind Regin indicate that it is one of the main cyber-espionage tools used by a nation state”.
Symantec has published a ‘technical whitepaper’ (22-page / 3.28 MB PDF) which described Regin as a “multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage”. Symantec said: “Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat.”
“Regin also uses a modular approach, allowing it to load custom features tailored to the target,” which Symantec said is a modular approach that “has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats”.
Symantec said it continues to analyse the malware and will publish “any updates on future discoveries”.
A senior official of an advocacy body for the global software industry said earlier this month that there is an “uneven landscape” for cyber security readiness in Europe which should be tackled by investing in “critical infrastructure”.