Sophisticated ‘State-sponsored’ Regin Spy Tool Discovered

IT security specialist Symantec has uncovered a new piece of malware, reminiscent of Stuxnet and Duqu, which bears the hallmarks of a state-sponsored operation and is believed to have been in use since at least 2008.

Dubbed ‘Regin’ by Symantec, this backdoor-type Trojan is being used as an espionage and surveillance tool, operating with a level of sophistication rarely seen. Notably, most of its code is not visible on infected computers, and it goes to great lengths to hide the data it’s stealing.

Regin’s targets

Regin’s targets include government organisations, infrastructure operators, businesses, academics and private individuals.

A Symantec spokesperson described Regin as customisable with an extensive range of capabilities depending on the target. They added: “It provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.

A Symantec blog post describing the Trojan read: “It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state.

“Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage.  Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages.  Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat.”

The Symantec spokesperson added: “The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.”

Additional analysis continues and Symantec will post any updates on future discoveries.