Skip to main content

Symantec: 'Regin' Spying On People, Businesses Since 2008

Symantec reported that it has discovered malware called Regin that's been in use since 2008, if not earlier. The security firm believes that this Trojan has likely been used in information-gathering campaigns and/or "systematic data collection."

According to Symantec, Regin is a customizable back-door Trojan capable of mass surveillance, and it's used to spy on a number of targets including individuals, businesses and governments. The identity of its owners is unknown, as the authors have gone out of their way to hide the malware's origins. However, the nature of the Trojan confirms that loads of time and money have been dumped into its development, possibly by a nation state.

The first version of Regin was used between 2008 and 2011; a new version then appeared in 2013. Both versions spied on small businesses and private individuals (48 percent), Telecoms (28 percent), Hospitality (9 percent) and more. Most of the infections took place in Russia (28 percent), Saudi Arabia (24 percent), Mexico (9 percent), Ireland (9 percent), India (5 percent) and five additional territories.

Symantec reported that Regin consists of several stages, and each one is encrypted and hidden except for the first stage. "Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat," Symantec stated.

Symantec also said that the Trojan is modular, allowing the authors to use custom features when going after a specific target. Many victims may have acquired the Trojan by visiting fake websites that look nearly identical to the legitimate versions. The company also mentioned applications, indicating that Android devices may also be involved.

So what can this Trojan acquire from unsuspecting victims? Regin can recover deleted files, take screenshots, steal passwords, take control of the victim's mouse and more. The Trojan also has forensics capabilities, as well as a custom-built encrypted virtual file system (EVFS).

"The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering," the security firm reported. "Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist."

Symantec's report said that the firm will continue to analyze the Trojan and provide updates if additional information is found.

Meanwhile, security firm F-Secure also posted a small report on Sunday, revealing that the firm first ran into Regin almost six years ago. The Trojan was discovered in Northern Europe, residing on a Windows server. "A driver with an innocuous name of 'pciclass.sys' seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin," the report said.

The rootkit driver was compiled in March 7, 2008, but due to a few other samples with earlier timestamps, the firm believes that the campaign  may have begun before 2008.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.