Monday, 24 November 2014

Sophisticated Cyber-Espionage Malware Uncovered By Symantec

Symantec’s security response team has uncovered a new malware – Regin - which has been operating under the radar since 2008 and, according to the information security vendor, could be a cyberespionage tool used by a nation state.

According to Symantec, the malware - reminiscent of Stuxnet and Duqu - bears the hallmarks of a state-sponsored operation and displays a degree of technical competence rarely seen.

While Symantec won’t speculate on the origin of Regin, it’s adamant that it has been used as an espionage and surveillance tool by intelligence agencies.

“It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks,” Symantec said.

“Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”

Regin serves as an effective framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals.

According to Symantec, Regin is a multi-staged threat with most of the five stages, with the exception of stage 1, hidden and encrypted.

“Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat,” Symantec said.
fig1-architecture.png
Regin’s five stages: Source: Symantec
Regin also uses a modular approach, seen in other sophisticated malware families such as Flamer and Weevil, allowing it to load custom features tailored to the target.

Meanwhile, the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats. 
There’s still a lot that needs to be worked out about Regin, by Symantec’s own admission,

Having been unable to identify a reproducible infection vector, which may have been customised for attacks.
“There are also "dozens of Regin payloads," providing for all the usual things like password stealing, captured screens, stolen files — including deleted files — and more,” Symantec said.

According to Symantec, some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application.
“On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.”

Source:
Business Spectator, Australia