Regin spyware alert – advanced cyber espionage malware discovered

Red-locksSymantec has announced the discovery of one of the most advanced pieces of malware since the Stuxnet/Duqu family of threats.

Regin is a sophisticated piece of spyware that has been used for the last six years to spy on a range of targets, including governments, research institutions, businesses and individuals. Regin infections have been detected all around the world, including in Russia, Saudi Arabia, Mexico and Ireland.

According to Symantec, Regin is capable of installing numerous customised payloads, but its standard capabilities include “Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”

Symantec’s technical report (Regin: Top-tier espionage tool enables stealthy surveillance) says:

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware… It goes to extraordinary lengths to conceal itself and its activities on compromised computers. Its stealth combines many of the most advanced techniques that we have ever seen in use.”

Regin’s stealth is its main advantage. Its developers have “put considerable effort into making it highly conspicuous,” according to Symantec, meaning “it can potentially be used in espionage campaigns lasting several years”. Regin employs “anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.”

Interviewed by the BBC, Symantec’s Vikram Thakur said, “Considering the level of sophistication and the amount of work which has been put into creating this little tool, it’s evident that the powers behind it, or the nation state which may have created this, is only interested in specific individuals and businesses out there, not mass surveillance of any sort.” Asked who would develop this kind of product and what they would use it for, Mr Thakur said, “There are only a handful of countries across the globe which can a) create such a sophisticated piece of malware or a sophisticated tool, and b) sustain the attack campaign for the number of years that they have without actually getting noticed. So it’s hard for us to say who it might be specifically, but if you narrow down the profile of countries which would be required to create something of this magnitude, there are only a handful of countries which could have done so.”

If your organisation is concerned about its information security, IT Governance recommends implementing the international standard for information security management, ISO/IEC 27001. Accredited certification to this Standard demonstrates that an organisation is following globally recognised information security best practices. Further information on ISO 27001 can be found in our handy green paper, available to download from our website:

Information Security and ISO 27001 – An Introduction