Symantec: 'Regin' Spying On People, Businesses Since 2008

Symantec reported that it has discovered malware called Regin that's been in use since 2008, if not earlier. The security firm believes that this Trojan has likely been used in information-gathering campaigns and/or "systematic data collection."

According to Symantec, Regin is a customizable back-door Trojan capable of mass surveillance, and it's used to spy on a number of targets including individuals, businesses and governments. The identity of its owners is unknown, as the authors have gone out of their way to hide the malware's origins. However, the nature of the Trojan confirms that loads of time and money have been dumped into its development, possibly by a nation state.

The first version of Regin was used between 2008 and 2011; a new version then appeared in 2013. Both versions spied on small businesses and private individuals (48 percent), Telecoms (28 percent), Hospitality (9 percent) and more. Most of the infections took place in Russia (28 percent), Saudi Arabia (24 percent), Mexico (9 percent), Ireland (9 percent), India (5 percent) and five additional territories.

Symantec reported that Regin consists of several stages, and each one is encrypted and hidden except for the first stage. "Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat," Symantec stated.

Symantec also said that the Trojan is modular, allowing the authors to use custom features when going after a specific target. Many victims may have acquired the Trojan by visiting fake websites that look nearly identical to the legitimate versions. The company also mentioned applications, indicating that Android devices may also be involved.

So what can this Trojan acquire from unsuspecting victims? Regin can recover deleted files, take screenshots, steal passwords, take control of the victim's mouse and more. The Trojan also has forensics capabilities, as well as a custom-built encrypted virtual file system (EVFS).

"The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering," the security firm reported. "Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist."

Symantec's report said that the firm will continue to analyze the Trojan and provide updates if additional information is found.

Meanwhile, security firm F-Secure also posted a small report on Sunday, revealing that the firm first ran into Regin almost six years ago. The Trojan was discovered in Northern Europe, residing on a Windows server. "A driver with an innocuous name of 'pciclass.sys' seemed to be causing the crashes. Upon closer analysis it was obvious that the driver was in fact a rootkit, more precisely one of the early variants of Regin," the report said.

The rootkit driver was compiled in March 7, 2008, but due to a few other samples with earlier timestamps, the firm believes that the campaign  may have begun before 2008.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

  • dovah-chan
  • f-14
    this is becoming a Tom's motto " better late than never "
    is Toms going to even write an article today about sony pictures being taken down by #GOP

    here is the link for Tom's to plagiarize:

    Sony Pictures Targeted by Apparent Hack Attack to Corporate Systems

    Sony Pictures
    NOVEMBER 24, 2014 | 11:51AM PT
    Todd Spangler
    NY Digital Editor
    Sony Pictures Entertainment has told employees companywide to not connect to corporate networks or access email, after the studio was hit Monday by what appeared to be a malicious hacker attack threatening to disclose “secrets,” Variety has confirmed.

    The apparent hack was reported earlier by “We are investigating an I.T. matter,” SPE spokeswoman Jean Guerin said in an emailed statement. The hack apparently is not affecting other divisions of Sony Corp., sources said.

    According to a source at Sony Pictures, the company is telling employees that the situation may take anywhere from one day to three weeks to resolve. The source said a photo appeared on company computers Monday morning with an image of a skeleton and a message saying “Hacked by #GOP.” The message then says, “Warning: We’ve already warned you, and this is just the beginning… We have obtained all your internal data including secrets and top secrets.”

    Sony’s information-technology departments have instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.

    The “Hacked by #GOP” message warned that the data supposedly obtained from Sony’s systems would be divulged Nov. 24, at 11 p.m. GMT, which is 3 p.m. Pacific/6 p.m. Eastern on Monday. It isn’t clear at this point which individual or groups are responsible for the attack, or specifically what the hackers’ aims are.

    The SPE attack is being linked to a group called “Guardians of Peace,” Bloomberg reported, citing an anonymous source.

    In August, hackers claimed they took down Sony’s PlayStation Network via a denial-of-service attack, which overwhelms systems with bogus network requests. According to the company, no personal data of PlayStation Network’s 53 million users was compromised in the Aug. 24 incident, and access was restored the following day. In 2011, a more serious security breach exposed names and passwords of millions of PlayStation Network customers.