CIP Cyber

Who is Behind the sophisticated, stealthy Regin malware?

Table of Contents

An advanced piece of malware has been uncovered, which has been in use as far back as 2008 to spy on governments, companies and individuals, Symantec said in a report released Sunday.

Symantec Security Response has discovered a new malware called Regin which, they say, “…displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.”
This back-door trojan has been in use, according to the security company, since at least 2008, and has stayed under the radar since.

The level of quality and the amount of effort put into keeping it secret convinces Symantec that it is a primary cyberespionage tool of a nation state.

Regin is a multi-stage attack, each stage but the first encrypted and none by themselves especially revealing about the overall attack. The picture only emerges when you have all five stages.

Attacks were committed between 2008 and 2011 (Regin 1.0), at which point the malware disappeared. It resurfaced in 2013 (Regin 2.0) with some significant differences: the new version is 64-bit, and may have lost a stage.

Symantec has not found a stage 3 for the 2.0 version, which may be explained by the fact that the 1.0 stage 3 is a device driver, and installing device drivers on 64-bit Windows surreptitiously is a difficult proposition even, it would seem, for the most sophisticated of attackers.

Attacks were committed between 2008 and 2011 (Regin 1.0), at which point the malware disappeared. It resurfaced in 2013 (Regin 2.0) with some significant differences: the new version is 64-bit, and may have lost a stage.

Symantec has not found a stage 3 for the 2.0 version, which may be explained by the fact that the 1.0 stage 3 is a device driver, and installing device drivers on 64-bit Windows surreptitiously is a difficult proposition even, it would seem, for the most sophisticated of attackers.

Symantec’s description in their threat database of the threat, where they call it Backdoor.Trojan.GR, indicates that it was detected and protection provided on December 12, 2013. Presumably they did not know what they had until much more recently, and retrospective analysis revealed the true nature of the threat and its use prior years.

Even so, there is still

Read Full Article at ZDNET

CIP Cyber Staff

CIP Cyber Staff

CIP Cyber Staff comprises CIP cybersecurity experts committed to delivering comprehensive information on critical infrastructure protection. The content covers diverse topics, equipping professionals to defend organizations and communities in an ever-evolving cyber landscape.

Most popular

Industrial Cybersecurity

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings

Related Articles

Want always be up to date?

Don't miss the latest news

By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.

CIP Training & Certifications

Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings