Skip to main content

Stealthy malware 'Regin' targeted businesses, individuals and telcos

It's lying in wait

A "highly-complex" piece of malware with James Bond-level espionage capabilities has been spying on governments, infrastructure operators, businesses and individuals since 2008, according to security company Symantec.

Detailed in a company blog post, the back-door type Trojan, called "Regin", can be highly customised through the use of modules depending on its intended target and has allegedly been used as a tool for mass surveillance.

Regin has been found to infect its victims in multiple ways, from luring them to spoofed versions of well-known websites and installing itself to exploiting applications.

The malware has claimed a number of victims as part of two waves, with a first version targeting organisations between 2008 and 2011 before being withdrawn. It re-emerged in 2013 to target companies, government entities and research institutions, with almost half of all infections targeting private individuals, small businesses and telecoms companies.

Stealth mode

According to Symantec, Regin has been designed to be a low-key type of malware that can potentially be used in espionage campaigns lasting several years. The company was only able to analyse its actions after decrypting sample files, discovering that its actions are particularly difficult to decipher.

Some of Regin's particularly stealthy, anti-forensic characteristics include a custom-built encrypted virtual file system (EVFS), embedding commands in HTTP cookies, and custom TCP and UDP protocols.