A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both.
"Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity. The malware targets organisations in the telecommunications, energy and health sectors.
Symantec malware reversers found attackers have foisted Regin on targets using mixed attack vectors including one unconfirmed zero-day in Yahoo! Messenger.
"Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen," Symantec's researchers wrote.
"Customisable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organisations, infrastructure operators, businesses, researchers, and private individuals.
"It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyber espionage tools used by a nation state."
The security firm did not name a nation as the source of Regin, but is willing to say most of its victims were from Russia and Saudi Arabia and were targeted between 2008 and 2011, with a since-decommissioned version of the malware that re-surfaced after 2013.
About half of those targeted were private individuals and small business, and a quarter telco backbone operators. Hospitality, energy, airline and research organisations round out the remainder in about equal measure.
Russia and Saudi Arabia soaked up half of the total attacks, followed by Mexico and Ireland at nine percent apiece.
"Its design makes it highly suited for persistent, long term surveillance operations against targets," the researchers wrote.
The highly-complex malware was comparable only to Stuxnet and Duqu, researchers said in the report Regin: Top-tier espionage tool and many of its elements were undiscovered.
Regin can install many highly customised payloads including remote access trojans to swipe keystrokes and screenshots, tools to nab information on processes and memory utilisation, and others to recover deleted files.
Specialist modules were found monitoring Microsoft Internet Information Services network traffic, parsing mail from Exchange databases, and collecting administration traffic for mobile base station controllers.
Regin's talented authors encrypted data blobs after the stage one vector. The stage zero dropper probably responsible for setting extended attributes and registry keys that held encoded data of subsequent stages was not found.
Researchers found some 64 bit versions that were different from the 32 bit variant in the use of file names and modifications to stage one as a kernel mode driver. Stages three and five of 64 bit versions were not found. ®