Dubai: After the deadly Duqu and Stuxnet family of computer malware created havoc across the globe, Symantec has found a complex threat that has been used in data collection or intelligence gathering campaigns.
The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic and recovering deleted files.
Vikram Thakur, senior manager at Symantec Security Response, told Gulf News that the virus can communicate with the attackers using multiple channels (TCP, UDP, ICMP, HTTP cookies), all of which are strongly encrypted. In addition, infections can serve as proxy nodes and infected machines can communicate in a peer-to-peer fashion.
In the Gulf States, he said that one quarter of the infections is in Saudi Arabia, but the UAE is not targeted.
“The discovery of ‘Regin’ highlights how significant investments continue to be made into the development of tools for use in intelligence gathering, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long-term surveillance operations against targets,” Thakur said.
He said that Regin bears the hallmarks of a state-sponsored operation and is likely used as an espionage and surveillance tool by intelligence agencies. However, Symantec does not have sufficient evidence to attribute it to any particular state or agency.
Even though Symantec published it now, “we have been following it since the second half of 2013. We have also been monitoring for any further activity and attacks,” he said.
The majority of Regin’s code is not visible on “infected computers”. Most of its stages are stored as encrypted data blobs, as a file or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk. Regin also goes to some lengths to hide the data it is stealing. Valuable target data is often not written to disk.
Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist.
There are two versions; Version 1.0 which appears to have been used from at least 2008 to 2011 and version 2.0 has been used from 2013 onwards.
From a coding perspective, Regin is not written by the same person who wrote Duqu and Stuxnet. “There were no similarities between Regin and Duqu or Stuxnet. It can be different people from the same organisation and we cannot rule that out,” he said.
He said that Regin’s significance lies in its technical complexity and customised payloads which display knowledge of highly specialised industries. The level of sophistication and complexity of Regin indicate that the development of this threat “would have taken well-resourced teams of developers many months or years to develop and maintain,” he said.
“The infection vector varies among targets. Targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files show that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit,” he said.
