Regin trojan spying on countries like India4 min read . Updated: 29 Nov 2014, 12:48 AM IST
Sophisticated surveillance trojan whose origin and complexity has confounded security firms, reminds of Stuxnet worm that infected industrial control systems
Mumbai: Most malware is known to originate in either Russia or China. However, online surveillance and cyberwarfare, it appears, can show up in any form or shape—even as a remote access trojan, or RAT, called Regin.
It is a sophisticated surveillance trojan whose origin and complexity has confounded security firms, reminding one of the Stuxnet worm that infected industrial control systems in many countries, especially Iran, Indonesia and India, in October 2010.
On 23 November, security firm Symantec Corp alerted the world to the presence of the Regin malware that is spying mostly on individuals and small businesses besides targeting telecom networks, airlines and even governments.
However, while the malware has spread mostly to the Russian Federation, Middle East countries and India till date, there has not been a single detection of the malware in any of the “Five Eyes" surveillance countries comprising the US, the UK, Australia, Canada and New Zealand, which has led to speculation that some developed nation-state could have created the malware as a cyberwarfare and cyber espionage tool.
The US, for instance, admitted to collecting billions of pieces of information on immigrants—6.3 billion on Indian citizens alone under the Foreign Intelligence Surveillance Act, according to an 8 June 2013 report in the UK-based newspaper The Guardian.
While 28% infections have been noted in the Russian Federation and 24% in Saudi Arabia, countries like India, Pakistan and Afghanistan accounted for 5% of all Regin infections, Symantec said in the 23 November report that was updated on 27 November.
Regin infections were observed in a variety of organizations between 2008 and 2011, after which a new version of the malware surfaced from 2013 onwards. Targets include private companies, government entities and research institutes.
Almost half of all infections targeted private individuals and small businesses.
Attacks on telecoms companies appear to be designed to gain access to calls being routed through their infrastructure, the Symantec report said, adding it is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. “Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state," said the report.
Regin is a highly complex threat that has been used in systematic data collection or intelligence gathering campaigns, Symantec noted. It pointed out that Regin uses a multi-stage and modular approach, allowing it to load custom features tailored to the target. This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil (The Mask), while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats.
Regin’s capabilities include RAT features such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files. It can potentially be used in espionage campaigns lasting several years. Even when its presence is detected, it is very difficult to ascertain what it is doing.
Symantec was only able to analyse the payloads after it decrypted sample files. Regin’s “stealth" features include anti-forensics capabilities and alternative encryption tools, which make it hard to detect.
Security firm F-Secure Corp says it detected Regin nearly six years ago in early 2009, “when we found it hiding on a Windows server in a customer environment in Northern Europe", and placed Regin in the same category of highly sophisticated espionage campaigns as Stuxnet, Flame, and Turla/Snake.
“As always, attribution is difficult with cases like this. Our belief is that this malware, for a change, isn’t coming from Russia or China," F-Secure analysts said on their website.
According to a 24 November Kaspersky Lab report, although some private research groups refer to it as the ‘Regin malware’, it is not entirely accurate to use the term malware in this case. “In essence, Regin is a cyberattack platform, which the attackers deploy in victim networks for total remote control at all levels."
Surveillance spyware can assume many forms.
In a joint October report with INTERPOL, Kaspersky pointed out the presence of “Monitor" class programs that stand for “conditionally legitimate applications designed to conduct surveillance over smartphone users". These applications can track the user’s location, read his/her messages, and access other personal information. The manufacturers of such software advertise it as a useful tool to help look after children and the elderly, but Kaspersky Lab classifies the programs as potentially dangerous.
Incidentally, India tops the list with 19.73% of all Monitor class detections, followed by Russia in the second place with 14.72% (even though Russia is the leader of the general threat ranking). Users in the US, too, do encounter these applications (7.59% detections); followed by the UK (6.8%) and Germany (4.56%), the Kaspersky report said.
The fact, say security firms, is that viruses are becoming increasingly nasty and complex. But while the worms were traditionally being used by hackers and cybercriminals either to display their prowess or steal information and money, it appears now that even nation states are backing such crimes to target countries -- a trend popularly known as cyber espionage.
In July 2010, anti-virus vendors had detected the presence of a virus they named W32.Stuxnet that targets industrial control systems to take control of industrial facilities, such as power plants. Iran was the primary target, with nearly 59% of the attacks directed at that country, according to Symantec. India was affected, too, with 8.31% hits.
In October 2011, there was another worm called W32.Duqu that was created from the same code base as Stuxnet. But it appeared to have a completely different purpose.
While Stuxnet was primarily designed to sabotage industrial machinery, Duqu appeared to be designed for information theft, particularly information related to industrial systems and other secrets.
In May 2012, researchers discovered a more potent virus. Going by the name W32.Flamer (also called sKyWIper and Wiper), the worm’s primary target appeared to be Iran and other West Asian countries.