All you need to know about Regin

Regin is highly sophisticated malware


As news circulates of a fresh piece of malware detected by researchers, businesses should sit up and take notice of the potential risks it may cause to their organisation. We talked to Adam Kujawa, Head of Malware Intelligence at Malwarebytes, and discussed everything you need to know about this bug.

TechRadar Pro: What is Regin?

Adam Kujawa: Regin is a highly sophisticated, modular rootkit most likely designed and used by a nation state for the purpose of intelligence gathering.

TRP: Why is it so advanced in comparison to other forms of malware?

AK: Regin goes to great lengths to segment and compartmentalise its installation procedures, utilising high amounts of encryption as well as persistence establishment. Basically, it hides any presence of itself on the system, even to the point of having intricate pieces of functionality completely encrypted until they are needed. This is a delicate operation and one that had to have been developed by master programmers.

TRP: Why should we care about it?

AK: I like to think of malware sometimes as if they were comic book villains. There are your run of the mill pieces of malware that pose immediate threat to an individual but are easy to thwart, and they are represented by your average thugs or henchmen.

Then you've got your bigger villains, like the Penguin, Riddler and so forth. They are bigger threats to larger groups but can still be handled – you might think of these villains as ransomware, banking Trojans and similar.

Then you've got your super villains – the Joker, Darkseid, Thanos – and these villains are very powerful and they can usually do a lot of damage, plus they are also very hard to stop or even find. So when we talk about why we should care about this particular malware, it is because this malware is a super villain, alongside Stuxnet, Flame, Duqu, etc. These are super malware with immense power and sophistication that, depending on their capabilities, can steal the most valuable intelligence or destroy the most powerful systems.

TRP: Why has Regin only been detected now if it's been used for international spying since 2008?

AK: It has been detected before in different forms. The fact is that early detections of Regin were different variants of what we have seen now and most likely what is currently out there. When you deal with cybercriminals, their variants are slightly different from each other, for the purpose of evading detection. Often it is easy to identify them again.

Nation state malware will become completely different in its appearance on the system as well as its capabilities, making it virtually vanish until someone notices another one.

TRP: How does it compare to Stuxnet?

AK: Stuxnet and Regin are similar in their backing but different in a lot of other ways. Stuxnet was limited to what its mission was – namely being able to infiltrate the energy controls. It also relied heavily on human interaction in order to steal information or obtain commands.

Regin is far more powerful in that it can communicate and send information directly, even from within a classified network, by utilising numerous drones to pass traffic between themselves before getting to an exit point on the open internet.

TRP: What are the other well-known types of sophisticated malware I should be aware of?

AK: Flame and Duqu are some of the more recent and more important forms of nation state malware.

TRP: How can businesses keep themselves protected against such forms of malware?

AK: By keeping encrypted files on systems that have no way of ever reaching the outside internet. Also, utilising up to date security software and patching every single vulnerability that might exist on their system. Finally, segmenting what kind of power an average user might have on a system by locking down their privileges (i.e. so no one using the employee's account can install malware on the system) and you've really got a start.

The most common way that this kind of malware is making its way onto sensitive networks is through social engineering tactics, fooling specific users to do the bidding of the attackers and help them get in, without them ever knowing. So common security knowledge, password management and awareness of phishing scams, drive-by exploits and so forth, are all imperative.

TRP: Are we likely to see more of this kind of malware in the future?

AK: Absolutely. Government developed malware isn't a failed experiment, and with our world turning more and more digital every year, the amount of resources currently put into development and operation of these tools will only increase. We are going to see a lot more players enter the arena, i.e. smaller countries and not just superpowers.

About Adam Kujawa

Adam is Head of Malware Intelligence at Malwarebytes, and a computer scientist with experience in reverse engineering, malware analysis and penetration testing. He has worked at a number of United States federal and defence agencies, helping these organisations reverse engineer malware and create defence and mitigation techniques.

Article continues below