Symantec’s continuing investigation into the Regin Trojan has cast new light on the cyberespionage tool, revealing a wider range of capabilities and a complex infrastructure supporting the threat.
Regin was uncovered last year by Symantec and remains one of the most advanced spying tools discovered to date. The malware has been in circulation since at least 2008 and has been used against a range of targets, including government organizations, infrastructure operators, businesses, researchers, and private individuals.
New modules
Regin is a five-stage threat, with each stage loading and decrypting the next one. The malware is modular in structure, which allows its controllers to add and remove specific features depending on the target. Some Regin modules control basic functions of the malware, such as networking or handling Regin’s encrypted virtual file system (EVFS). Other modules act as payloads, dictating the functionality of each Regin infection.
As outlined in an updated technical whitepaper, Symantec has found 49 new modules, bringing the total number of Regin modules uncovered to 75. This remains an incomplete list. A number of other Regin payloads are known to exist since some modules analyzed contain references to them.
Command and control
Symantec has found an extensive command-and-control (C&C) infrastructure supporting Regin infections. The attackers have devised a complex system for communication with C&C servers, in which traffic is relayed through a network of Regin-infected computers. Compromised computers can act as a proxy for other infected computers and peer-to-peer (P2P) communications are used. The networking protocols used by the malware are extensible and can be configured between each pair of Regin-infected computers, providing the attackers with a granular level of control over C&C communications.
All C&C communications use strong encryption and follow a two-stage protocol, where the attackers contact the infected computer on one channel and instruct it to open communications on another. A single Regin module (0009h) is responsible for the core handling of communications protocols, while each individual protocol has its own separate module. A total of six transport protocols have been identified: ICMP, UDP, TCP, HTTP Cookies, SSL, and SMB.
Regin’s P2P communications capability sees each Regin infection assigned a virtual IP address, forming a virtual private network (VPN) on top of the physical network of the infected computer. This P2P capability allows the attackers to maintain deep access to critical assets within compromised organizations and mask core infrastructure belonging to the group. Traffic between nodes can be configured to match expected protocols based on where the nodes are placed on a network, adding a further degree of stealth to communications.
Remote procedure call (RPC) mechanism
Regin’s authors facilitate communication between modules with a lightweight remote procedure call (RPC) mechanism. This RPC mechanism appears to be custom-built.
The RPC mechanism allows for procedure calls to be made locally and across the network of Regin-infected computers. Operators can directly call any procedure on the Regin network to remotely control, install, or update modules, or change module configuration by replacing EVFS files.
Regin’s legacy
Despite the threat’s exposure last year, it is unlikely that the group behind this malware has ceased operations. Its track record and available resources mean it is probable that the group will re-equip itself with a new threat or upgrade Regin in a bid to evade detection. The latter is the most likely course of action, given the time it would take to develop an equally capable malware framework from scratch.
In terms of technical capabilities, Regin was several years ahead of most other threats. Its impact may continue to be felt as other, less advanced threat actors draw inspiration from it and copy its features in a bid to improve their own tools.
Further reading
Indicators of compromise for security administrators and more detailed technical information can be found in our updated technical paper−Regin: Top-tier espionage tool enables stealthy surveillance
Protection
Symantec and Norton products detect this threat as Backdoor.Regin.