Regin: ‘Complex Software’

Monday, December 1, 2014 @ 06:12 PM gHale

A sophisticated cyber espionage tool has seen action in “systematic spying campaigns” against a range of international targets since at least 2008, researchers said.

The malware, called Regin, is a back door Trojan whose structure displays a degree of technical competence rarely seen, indicating that a nation state is behind it, said researchers at Symantec.

Updated Malware Boosts Espionage Tool
Espionage Program 10 Years Old
Tool to Spy on Bad Guys
Espionage Group Targets NATO, EU

Regin is an “extremely complex piece of software that can be customized with a wide range of different capabilities that can be deployed depending on the target,” said a report released by the security giant.

Symantec first found the threat almost a year ago in December 2013, when a customer submitted the file to Symantec for analysis, researchers said.

Threats of this nature are rare and are only comparable to the Stuxnet/Duqu family of malware, Symantec said. Regin does not appear to share any common code with those threats.

An advanced spying tool, Regin has been in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.

The design and operation of Regin makes it highly suited for persistent, long term surveillance operations against targets, and would have required a significant investment of time and resources to build and deploy. Some of Regin’s custom payloads indicate its developers had a high level of knowledge in particular sectors, such as telecoms infrastructure software, Symantec said in its report.

Regin is different to what are the “traditional” advanced persistent threats (APTs), both in its techniques and ultimate purpose, the report said. APTs typically seek specific information, usually intellectual property. Regin’s purpose is different. It collects data and continuously monitors targeted organizations or individuals.

Symantec observed infections a variety of organizations between 2008 and 2011, after which it was “abruptly withdrawn.” A new version of the malware resurfaced in 2013, which has seen action against targets including private companies, government entities and research institutes, Symantec said.

Half of the infections targeted private individuals and small businesses, and the intent of the attacks on telecom companies appears to be to gain access to calls routed through their infrastructure.

The Regin platform has the ability to attack GSM base stations of cellular networks. One Regin module is capable of monitoring GSM base station controllers, collecting data about GSM cells and the network infrastructure. Over the course of April 2008 the attackers collected administrative credentials (user names and passwords) that would allow them to manipulate a GSM network in a Middle Eastern country. Attacks could have been able to access GSM base station controllers, information about which calls end up processed by a particular cell, redirect these calls to other cells, activate neighbor cells and perform other offensive activities like conceivably shut down the cellular network. At the present time, the attackers behind Regin are the only ones known to have been capable of doing such operations.

“The ability to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, other parties can hijack this ability and abuse it to launch different attacks against mobile users.”

The highest percentage of infections discovered was in Russia (28 percent), followed by Saudi Arabia at 24 percent. Regin was also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan, according to the report.

Regin is a multi-staged, modular threat and has a number of components, each depending on others, to perform attack operations. The cyber attack platform ended up built using a six-stage architecture. Each stage appears hidden and encrypted, with the exception of the first stage.

“Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages,” the report said.

“The initial stages involve the installation and configuration of the threat’s internal services. The later stages bring Regin’s main payloads into play,” the report said.

Symantec said they have not yet been able to determine the threat vector used to infect systems, but believes the attackers used various tactics among targets, and some may end up tricked into visiting spoofed versions of well-known websites and the threat may install through a Web browser or by exploiting an application.

One system analyzed by Symantec had log files showing a Regin infection originated from Yahoo! Instant via an unconfirmed exploit.

Regin’s modular approach gives flexibility to the threat operators as they can load custom features tailored to individual targets when required.

Symantec researchers said there are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.

Symantec said advanced payload modules exist, including a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.

Regin’s developers put considerable effort into making the threat difficult to detect and analyze, Symantec said, including several “stealth” features such as anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5.

Regin uses multiple sophisticated means to secretly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols, the report said.

This setup makes the Command and Control server very dynamic and essentially allows the attackers to move the C&C server by the minute and hide their tracks.

“The discovery of Regin serves to highlight how significant investments continue to be made into the development of tools for use in intelligence gathering,” the report concluded.

Symantec also warned that many components of Regin have still gone undiscovered and additional functionality and versions may exist.

Leave a Reply

You must be logged in to post a comment.