Stuxnet-like malware highlights need for skills and vigilance

The discovery of advanced malware used to spy against organisations underlines the need for skills and vigilance, say security experts

The discovery of an advanced piece of malware that has been used to spy against organisations for at least six years underlines the need for skills and vigilance, say security experts.

The Stuxnet-like malware dubbed “Regin” is a complex, back-door Trojan that has the hallmarks of a state-sponsored operation, according to security researchers at Symantec.

The Symantec team that discovered the Backdoor.Regin malware said its structure displays a degree of technical competence rarely seen.

The malware is not visible on infected computers and it goes to great lengths to cover its tracks, making it highly suited for persistent, long-term surveillance operations against targets.

The researchers said even when its presence is detected, it is very difficult to ascertain what the malware is doing. Symantec was able to analyse the payloads only after it decrypted sample files.

Regin includes anti-forensics capabilities, such as a custom-built encrypted virtual file system, and uses multiple sophisticated means to communicate covertly with its operators.

Regin is customisable with an extensive range of capabilities depending on the target, and provides its controllers with a powerful framework for mass surveillance.

The malware has been used in spying operations against government organisations, infrastructure operators, businesses, researchers and private individuals.

Researchers said Regin is a multi-staged threat, and each stage is hidden and encrypted, with the exception of the first stage.

Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. 

Customised for target

Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat, the researchers said.

Regin uses a modular approach, allowing it to load custom features tailored to the target.

This modular approach has been seen in other sophisticated malware families such as Flamer, while the multi-stage loading architecture is similar to that seen in the Stuxnet family of threats. 

Regin infections were observed in a variety of organisations between 2008 and 2011, when it appears to have been withdrawn temporarily.

A new version of the malware resurfaced from 2013 onwards, with targets including private companies, government entities and research institutes.

Almost half of all infections observed by researchers targeted private individuals and small businesses.

Attacks on telecoms companies accounted for 28% of infections and appear to be designed to gain access to calls being routed through their infrastructure, the researchers said.

Infections are also geographically diverse, having been identified mainly in ten different countries.

Russia and Saudi Arabia targeted

The most targeted regions were the Russian Federation (28%), Saudi Arabia (24%), Ireland (9%) and Mexico (9%).

These were followed by India, Afghanistan, Iran, Belgium, Austria and Pakistan, each with a 5% share of the total number of infections observed.

The infection vector varies among targets, but Symantec believes some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a web browser or by exploiting an application.

On one computer, log files showed that Regin originated from Yahoo Instant Messenger through an unconfirmed exploit.

Regin’s modular approach enables attackers to load custom features tailored to individual targets when required.


Wide variety of features

Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors. Researchers said this provided further evidence of the level of resources available to Regin’s authors.

Researchers observed a wide variety of features, including screenshot-capturing, taking control of mouse functions, stealing passwords, monitoring network traffic and recovering deleted files.

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.

The researchers believe many components of Regin remain undiscovered and additional functionality and versions may exist.

Symantec said the discovery of Regin showed that significant investments had been made in developing intelligence-gathering tools.

This highlights the need for firms to think carefully about how they protect their most sensitive information, said Stephen Bonner, a partner in KPMG’s Cyber Security practice.

“It also means the businesses need to be vigilant in detecting and being ready to respond to sophisticated attacks,” he said.

Malware highlights skills gap

Research by KPMG revealed nearly three quarters of businesses polled admit new cyber challenges require new skills.

Some 70% admitted their organisation lacked data protection and privacy expertise and were doubtful about their organisation’s ability to assess incoming threats.

Most said the shortfall existed because the skills needed to combat cyber threats are different to those required for conventional IT security. 

As a result, more than half of those polled said they would consider hiring a reformed hacker to help them build the skills needed for robust cyber defence.

“The idea of turning to hackers is an alarming trend. You wouldn’t hire pickpockets to be security guards, so the fact that companies are considering making such an unwise choice shows how desperate they are,” said Bonner.

Read more on Hackers and cybercrime prevention