Researchers have uncovered a highly advanced, sophisticated piece of
malware they believe was used to spy on a wide-range of international
targets including governments, infrastructure operators and other
high-profile individuals since at least 2008.
The nasty malware, dubbed "Regin", is said to be more sophisticated than both Stuxnet and Duqu, according to the researchers at antivirus software maker Symantec Corp.
DEVELOPED BY NATION STATE
The research showed that the Regin malware is believe to be developed by a wealthy "nation state" and is a primary cyber espionage
tool of a nation state because of the financial clout needed to produce
code of this complexity with several stealth features to avoid
detection. But, the antivirus software maker didn't identify which
country was behind it.
"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state," said Symantec Security Response team.
"The security firm did not name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011 with a since decommissioned version of the malware that re-surfaced after 2013."
Regin uses a modular approach allowing it to load features that exactly
fit the target, enabling a customized spying. The malware's design makes
it highly suited for persistent, long-term mass surveillance operations
against targets, the company said.
The nasty malware's main targets include Internet service providers and
telecommunications companies, where it appears the complex software is
used to monitor calls and communications routed through the companies'
infrastructure. Other targets include organisations in hospitality,
energy, airline, health sectors and research.
HIGHLY CUSTOMIZABLE FIVE STAGE STRUCTURE
Regin's highly customizable nature allows large-scale remote access Trojan
capabilities, including password and data theft, hijacking the mouse's
point-and-click functions, and capturing screenshots from infected
computers. Other infections were identified monitoring network traffic
and analyzing email from Exchange databases.
"Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals," Symantec said.
In order to remain stealthy, Regin is organized into five layers, each "hidden and encrypted, with the exception of the first stage." It's
a multi-stage attack and each stage reveals the overall attack.
Executing the first stage starts a domino chain in which the second
stage is decrypted and executed, and that in turn decrypts the third
stage, and so on.
NASTY MODULES
The whole picture of the malware only emerges when you have acquire all
five stages because each individual stage provides little information on
the complete package. Regin contains dozens of payloads, including code
for capturing screenshots, seizing control of an infected computer's
mouse, stealing passwords, monitoring network traffic, and recovering
deleted files.
Other modules appear to be tailored to specific targets. Specialist modules were found monitoring the traffic of Microsoft Internet Information Services (IIS) server, parsing mail from Exchange databases, and collecting administration traffic for mobile base station controllers.
No comments:
Post a Comment