Regin: The super-spyware the security industry has been silent about

NSA fingered as likely source of complex malware family


A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world.

But here's a question no one's answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? Has it really taken them years to reverse engineer it?

On Sunday, Symantec published a detailed dissection of the Regin malware, and it looks to be one of the most advanced pieces of spyware code yet found.

The software targets Windows PCs, and a zero-day vulnerability said to be in Yahoo! Messenger, before burrowing into the kernel layer. It hides itself in own private area on hard disks, has its own virtual filesystem, and encrypts and morphs itself multiple times to evade detection. It uses a toolkit of payloads to eavesdrop on the administration of mobile phone masts, intercept network traffic, pore over emails, and so on.

It appears to target people working in telecommunications, including internet backbone providers and cellular networks, plus the energy sector – where Yahoo! Messenger is apparently popular. All in all, it seems to be the handiwork of an intelligence agency rather than a run-of-the-mill malware writer, infosec bods have concluded.

For one thing, it doesn't operate like conventional spyware: Regin doesn't form a remotely controlled botnet – suggesting its masters really didn't want it to be found – nor does it harvest personal financial information.

Instead it collects intelligence useful to state spies. Coupled with the fact that virtually no infections have been reported in the US, UK or other Five Eyes nations, some to suspect it's the work of the NSA, GCHQ or their contractors.

Kaspersky's report on Regin today shows it has the ability to infiltrate GSM phone networks. The malware can receive commands over a cell network, which is unusual.

The Regin malware popped up on antivirus radars years ago. Symantec says it has been investigating Regin for over a year, although reckons earlier builds have been circulating since 2008. Microsoft first reported it back in 2011, and Kaspersky Lab thinks that it could have been around for as long as ten years.

So why the silence? Security software vendors usually love deluging the press with reports of malware, so you'd think that when Regin was first caught and analyzed, people would have made a song and dance about it.

F-Secure, one of the leading outfits investigating government malware, spotted Regin on a customer's computer two years ago. Chief research officer Mikko Hypponen said on Monday his company had kept silent on the malware because its client had asked it to, although he said F-Secure had added detection for the spyware to its antivirus software. Hypponen is sure Regin is state-sponsored malware.

Only a few hundred infections have been linked to Regin, but the choice of targets is striking. The malware apparently infiltrated the computers of noted Belgian cryptographer Professor Jean-Jacques Quisquater and Belgian telco Belgacom – a network compromise blamed on the NSA and GCHQ by Edward Snowden.

This low infection count could have been what has allowed Regin to fly under the radar for quite so long. With hundreds of thousands of malware samples found every year, a small outbreak doesn't get much attention, which is just what a state-sponsored attacker would be looking for.

Much more attention is now being focused on Regin in the coming days. While it's impossible to say where exactly the malware came from, it looks likely that your tax dollars or pounds could be at work. ®


Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT
    Broadens targets from telecoms to finance and government orgs

    The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.

    The deployment of this "PingPull" RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks' Unit 42 threat intelligence group.

    The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

    Continue reading

Biting the hand that feeds IT © 1998–2022