By Dr. Samir Kelekar, Senior Consultant, Indusface
It’s Déjà vu. In 2010, malicious software called Stuxnet introduced the world to a cyber-weapon which could affect major industries of nations. Now, almost four years later, another stealth malware, Regin has arisen, which even though discovered 24 hrs. ago, is thought to have been used for spying since 2006. Regin is an extremely developed malware, some citing it as the most sophisticated malware seen as yet, which is thought to be used for stealing sensitive data form selected industries based in certain countries. What is the similarity in Stuxnet and Regin, you ask. The company that found it says, that the multi-stage architecture is reminiscent of Stuxnet. While Stuxnet was supposedly designed to target Iran’s nuclear equipment with the purpose of damaging them, Regin seems to be built with the purpose of stealing data. So instead of damage, cyber-espionage seems to be the purpose of Regin. Still dangerous, we agree.
Regin-Who Art Thou?
On Sunday, Symantec, a computer security company, mentioned in a report that they had uncovered an advanced piece of malware, which might have been in use for more than eight years. This malware goes by the name Regin. It is being considered the most sophisticated piece of malicious malware ever seen, which probably was created by the government.
The sophistication of the software indicates that Regin is not just another malware but a cyber-espionage tool created by a nation-state. If not years, then it definitely took months to create this malware and that in itself gives an idea about the kind of effort put in for creating Regin and the expertise required. It’s almost an invisible malware, as the creators have gone to great lengths to hide its digital imprint. The malware is made such that it is suitable for long term mass surveillance, lasting several years.
The Infection method for malware involves the use of fake websites or Yahoo instant messenger.
Is This Malware Target Specific?
Government organizations, businesses, and private individuals, all have been affected. Regin is thought to be target specific, both geographically as well as industry wise. It is also being said that the malware has been tailored as per its targets.
If focusing on geography, surprisingly (maybe not so surprised) more than half the infections are found in Russia, Saudi Arabia, and Ireland. While these countries have been hit the most, Mexico and India have also been subjecting of Regin’s attention.
Industry-wise, Regin’s main targets consist of the energy sector, telecom companies, and internet service providers. It’s suspected that the malware has been eavesdropping on calls and communications circulating through these companies. Its targets also include the airline and hospitality sector, and the research sector.
It is also being said that computers affected are mainly Windows computers.
Effects of Regin?
As per the studies, a large number of networked computers are infected by Regin. Once installed on a computer, Regin allows remote cybercriminals to control the infected computer. They can spy on the victim, hijack the mouse’s click function, steal passwords and data, take screenshots of sensitive data and recover deleted files. The malware can be manipulated in many ways, thereby giving the attacker a wide berth for the kind of attacks which can be made possible. Some more ways by which the hacker can take advantage of this malware are by monitoring network traffic and analyzing email from Exchange databases.
Being a complex malware, researchers are expecting to find additional functionality and versions of Regin.
As per reports, Regin uses several stealth features to avoid being detected. This makes finding it tougher than normal malware and requires the help of experts. Even when found, it is tough to figure out the purpose of Regin.
Symantec has come up with a list of symptoms which indicate you are infected with this malware. They include file names, names of executables, registry entries, etc. They may be used to detect infection.
A traffic analysis method is being recommended to detect the malware activities on the victim’s system. Enterprises should at least use a Malware Monitoring Scanning Service to ensure that they are not inadvertently spreading malware like Regin. Take professional help to avoid being a distribution point for malware like Regin.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.