49 new Regin backdoor modules discovered
Since Symantec and Kaspersky Lab researchers presented their findings on the Regin backdoor late last year, there has been only one additional publicly revealed sighting of (a part of) the sophisticated espionage tool, and it pointed to the conclusion that the malware is wielded by the Five Eyes intelligence alliance.
The Regin backdoor has been used since at least 2008 to mount spying operations against government organizations, infrastructure operators, private sector businesses, but also researchers and private individuals, mostly in the Russian Federation and Saudi Arabia, but also in Mexico, Ireland, India, Iran, Belgium, Afghanistan and Pakistan.
The malware is not used to collect specific information – it is used for the collection of various types data and the continuous monitoring of targeted organizations or individuals.
“Regin is a five-stage threat, with each stage loading and decrypting the next one. The malware is modular in structure, which allows its controllers to add and remove specific features depending on the target,” Symantec researchers explain. “Some Regin modules control basic functions of the malware, such as networking or handling Regin’s encrypted virtual file system (EVFS). Other modules act as payloads, dictating the functionality of each Regin infection.”
Since their initial report on the backdoor in 2014, they still haven’t obtained the initial dropper, but they have discovered 49 new modules (the total number has now reached 75), which provide a wide variety of spying, exfiltration, forensics, transport, filtering, and cryptographic capabilities.
The malware uses six transport protocols for communication and data exfiltration: CMP, UDP, TCP, HTTP Cookies, SSL, and SMB. The communication traffic to the C&C servers is relayed through a network of Regin-infected computers.
“Regin’s P2P communications capability sees each Regin infection assigned a virtual IP address, forming a virtual private network (VPN) on top of the physical network of the infected computer. This P2P capability allows the attackers to maintain deep access to critical assets within compromised organizations and mask core infrastructure belonging to the group,” the researchers pointed out, and explained that traffic between nodes can be configured to match expected protocols based on where the nodes are placed on a network, adding a further degree of stealth to communications.
Despite the fact that the researchers haven’t managed to get their hands on newer versions of the malware, they say it’s unlikely that the group using it has stopped developing it.
It’s also unlikely that the group has ceased operations.
“Its track record and available resources mean it is probable that the group will re-equip itself with a new threat or upgrade Regin in a bid to evade detection. The latter is the most likely course of action, given the time it would take to develop an equally capable malware framework from scratch,” the researchers noted.
On the other hand, it’s also possible that they have been working on another attack framework for years now, getting it ready to replace Regin as soon as its exposure makes it too dangerous and ineffective to use.