Regin Cyber-Spy Malware Targeted High-Priority Intelligence Quarry

It’s not likely that your network will get hit by the Regin malware by accident. But if you discover it on your network it means that somebody big and powerful is after you.

Finding the Regin malware on your network is sort of like getting an unexpected visit from the U.S. Navy’s Seal Team Six. You know somebody very powerful is thinking about you and you wish that you had somehow passed up the honor of its visit. Like those heavily-armed Navy special operations teams, Regin and its successors don’t go out on their own. They are deliberately sent. “Regin is the cyber equivalent of a specialist covert reconnaissance team,” said Pedro Bustamante, director of special projects at Malwarebytes in an email to eWEEK. Regin also has some unusual capabilities, not unlike those covert special operations military units. “The analysis shows it to be highly adaptable, changing its method of attack depending on the target. It also has some very advanced evasion techniques that make it suitable for spending long periods carrying out undercover surveillance.” Bustamante said that the Regin malware is delivered through common exploits, including email and online chat sessions. “The result is that targets would typically have no knowledge of infection, allowing Regin to quietly decrypt its various payloads unseen before moving stealthily through networks in the background.”

As bad as that sounds, it’s really the good news. Unlike malware created by cybercrime operators, Regin does not spread on its own and significantly, it can cease operations and disappear whenever its controllers tell it to. It’s also different from Stuxnet, which replicated itself in its search for computers that were controlling Iraqi uranium centrifuges, but erased itself when it found that it was in the wrong environment. Unless you were running a uranium enrichment plant, Stuxnet created problems only because of the network resources it consumed while trying to replicate itself. Eventually it gave up and died out. Regin, on the other hand, does no such thing. “This remains an extremely targeted campaign,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab in Bucharest. “In total, we counted only 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network,” Raiu said. The 27 target networks were 14 countries including Afghanistan, Germany, Indonesia, Iran, Pakistan, Russia and Syria, according to Kaspersky. “The number of unique PCs infected with Regin is of course much, much higher. Regin is highly controlled and cannot escape because it doesn’t have automatic self-replication code inside. The only time samples appear on multi-scanner services is when victims notice it and upload it for confirmation,” Raiu explained. Raiu noted that the original version of Regin was withdrawn in 2011 and didn’t reappear until a new version surfaced in 2013.

The difference between the versions was primarily that the first was aimed at 32-bit Windows computers, and the second at 64-bit Windows machines, reflecting the current move in the market to 64-bit platforms. The obvious next question is who (or what) would go to the trouble and expense required to create Regin, but target only 27 victims? Raiu declined to speculate. However, Adam Kujawa head of malware intelligence at Malwarebytes said in an email that it would take a national intelligence agency to actually pull this off. “It is highly possible that Regin was developed, at least in part, by a nation-state since the resources required for not only the creation of such an intricate and complex tool would be immense, but also the actual control of such a tool would require powerful systems and many man hours of sifting through data to derive meaningful intelligence.” Kujawa said. “The operation of this tool requires a huge effort in line with manual manipulation of how the tool works on an infected network, but also how it communicates with the command and control,” Kujawa noted. “Since Regin has a dual communication channel, meaning that the malware can talk to the attacker and the attacker can talk to the malware, it is likely not completely automated and needs constant instructions,” he explained.

“All of these factors combined do not make up the signature for a single or couple of hackers. Nor does it fit the M.O. for a cyber-crime organization. This is a constant surveillance operation most likely executed by a government with substantial resources and the know-how to make it happen,” Kujawa asserted. In other words, Regin is less like a cruise missile and more like a drone. It can operate for long periods of time on its own, but ultimately someone needs to be at the controls. In addition, someone needs to be on hand to evaluate the fruits of the intelligence gathering, and to make changes if necessary. What’s important to nearly everyone is that the chances of the Regin malware in its current state attacking your computers or network are basically non-existent—unless, of course, you are of particular interest to the national intelligence agency controlling it. In that case, it’s still possible to prevent infection by strictly following safe practices such as never using critical systems for things like email and chats. But that only works if computers that are doing email and chats are kept off the network. In addition, now that anti-malware products know what to look for with Regin, they’re more likely to find something, but of course that’s only true if the creators of this attack don’t stay a step ahead. Unfortunately, so far they have.