What is it?
Regin Malware (pronounced “region”) is a malicious cyber espionage tool whose origins have been traced back as far as 2008. It was discovered by security researchers at Symantec and can lay undetected on a target system for months or even years.
How does it work?
Regin operates like a back-door Trojan. It affects the Windows OS and operates in five stages, with flexibility to allow the attacker to customize the attack to its particular target. It’s only visible component is a driver. Every other piece of the malware is encrypted and hidden in different segments of a computer’s file system.
Who is it targeted at?
Regin’s target list not only includes government bodies, but small businesses, academics, internet providers and individuals. Telecoms companies have also been infected, allowing the attacker to gain access to phone calls. Interestingly, Ireland had the third highest number of targets – 9% of overall detected infections. The majority of targets for the malware are based in Russia and Saudi Arabia – 28% and 24% respectively. Neither the US nor British are believed to be targets of Regin.
How does it infect its target?
The attackers use typical techniques to infect its targets. Spoofed versions of well-known sites are used as a means to trick the target and the malware can also be installed through a web browser or via an application, according to Symantec. The source of one attack was traced by Symantec back to Yahoo’s Messenger program.
What information is it collecting?
Once Regin is installed it starts stealing passwords, taking screenshots, takes control of the mouse and its functions and monitors web activity. It can also retrieve deleted files.
Do we know who created it?
It is likely that its development took months, if not years, to develop and its authors have gone to great lengths to disguise it. Its capabilities and the level of resources behind Regin indicate that it was created by a “nation state,” with persistent long term surveillance in mind. Only a handful of countries are thought capable of creating something as complex as Regin.
Am I at risk?
In an interview with RTÉ Orla Cox of Symantec said that the average consumer won’t be affected. As Regin appears to be part of a targeted operation, and not blanket surveillance, most users do not have to worry about a potential attack. However, users should still be vigilant when using the web. The threat landscape is increasing and companies and their staff need to be vigilant about protecting their data.
Can we help?
Have concerns about your company’s IT security? We’re happy to provide advice and guidance. Click the link below to contact us.