Regin: Stealthy and Sophisticated

Next story

Regin first reared its ugly head between 2008 and 2011, abruptly went quiet, and then reappeared in 2013. Targets range from private companies and various government agencies to private users and small businesses. Regin is a mysterious and malicious beast.

Mark James, ESET security specialist, talks us through what we do know about this nasty piece of malware.A nation state sponsored super trojan? Potentially, but that’s the scary thing, much of the information surrounding Regin is still unknown.


“Designed to be very stealthy”


“Regin appears to be a very sophisticated piece of software: unlike many other forms of malware that are designed for one job this particular piece can adapt to many different jobs that include intelligence gathering, granting remote access or even taking screenshots.”

“It has been designed to be very stealthy on a level we do not see very often, one of its primary objectives is to stay hidden and send information back to (or receive information from) its source command-and-control servers for as long as possible”

“The malware itself is very capable at customizing itself to take on any number of roles and this I believe is what has kept it in the wild for so long and reasonably undetected.”

“One of the other interesting points to note is that it does not target a specific industry sector therefore being able to target private and government organisations and broadening again its targets.”


“Large scale data gathering”


“The code itself is quite complex and uses encryption to protect itself along with storing its data within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of disk: this all makes it harder to detect as most traditional malware does not use these places.”

“Regin almost certainly has been used for very large scale data gathering, it’s taken a lot of resources to create and most probably will have many variants both waiting to be released and in the wild already.”

“We would be naive to think there are no other very similar complex pieces of malware out there undetected quietly sitting on hardware gathering data and sending it back for intelligence and malicious means.”