The Regin malware has been around since at least 2008,that most Regin infections were observed in Russia (28%) and Saudi Arabia (24%), but other attacks were spotted in Iran, Ireland, India, Afghanistan, Austria, Belgium, Mexico, and Pakistan.
The Regin platform has a modular structure that allows its operators to add new malicious components that implement new functionalities according to the target to attack.
Regin is considered by many researchers the most sophisticated espionage tools discovered to date, it implements a six-stage architecture as reported in the following image.
The Regin is structured into six stages, each of which is encrypted, except for the first one, which is used to launch the initial loader. The execution of the first stage triggers a domino chain in which at each step the stage is decrypted and executed, and that in turn decrypts the successive stage, and so on.
Part of the intelligence community has linked the Regin malware to the Five Eyes alliance, experts found alleged referenced to the super spyware in a number of presentations leaked by Edward Snowden and according to malware researchers it has been used in targeted attacks against government agencies in the EU and the Belgian telecoms company Belgacom.
Now Symantec revealed that its researchers have uncovered 49 new modules, the total number of components discovered since the initial discovery is 75.
“As outlined in an updated technical whitepaper, Symantec has found 49 new modules, bringing the total number of Regin modules uncovered to 75. This remains an incomplete list. A number of other Regin payloads are known to exist since some modules analyzed contain references to them.” states a blog post published by Symantec.
The newly discovered modules can be used for espionage purposes, they implement logging, keylogging, impersonation functionalities and other exfiltration methods.
The analysis of these modules led the experts to speculate that many other modules belonging the Regin platform exist.
The researchers at Symantec revealed that Regin has an extensive command and control (C&C) infrastructure that relies on peer-to-peer (P2P) communications between infected machines.
“Symantec has found an extensive command-and-control (C&C) infrastructure supporting Regin infections. The attackers have devised a complex system for communication with C&C servers, in which traffic is relayed through a network of Regin-infected computers. Compromised computers can act as a proxy for other infected computers and peer-to-peer (P2P) communications are used.” states the post. “This P2P capability allows the attackers to maintain deep access to critical assets within compromised organizations and mask core infrastructure belonging to the group. Traffic between nodes can be configured to match expected protocols based on where the nodes are placed on a network, adding a further degree of stealth to communications.”
The experts highlighted the existence of a custom-built remote procedure call (RPC) mechanism that enables the attackers to remotely install, update, and configure modules.
“The RPC mechanism allows for procedure calls to be made locally and across the network of Regin-infected computers. Operators can directly call any procedure on the Regin network to remotely control, install, or update modules, or change module configuration by replacing EVFS files.”
The most interesting aspect of the new findings it that threat actors is still operating the Regin platform upgrading its powerful espionage spyware.
“Despite the threat’s exposure last year, it is unlikely that the group behind this malware has ceased operations,” reported Symantec. “Its track record and available resources mean it is probable that the group will re-equip itself with a new threat or upgrade Regin in a bid to evade detection. The latter is the most likely course of action, given the time it would take to develop an equally capable malware framework from scratch.”
(Security Affairs – Backdoor Regin, cyber espionage)