An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since at least 2008. A back door-type Trojan, Regin is a complex piece of malware whose structure displays a degree of technical competence rarely seen. Customizable with an extensive range of capabilities depending on the target, it provides its controllers with a powerful framework for mass surveillance and has been used in spying operations against government organizations, infrastructure operators, businesses, researchers, and private individuals.
It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.
It’s unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Individuals involved in advanced mathematical/cryptographical research
- Intelligence gathering
- Facilitating other types of attacks
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling “The Magnet of Threats“. This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.
Contents [hide]
- Initial compromise and lateral movement
- The Regin platform
- Virtual File Systems (32/64-bit)
- Unusual modules and artifacts
- GSM Targeting
- Communication and C&C
- Victim Statistics
- Attribution
- Timeline and target profile
- Infection vector and payloads
- Stealth
- Conclusions
- Further reading
- Source
- Protection information
- Disclaimer:
Read the rest of it here: Regin: Top-tier espionage tool enables stealthy surveillance