“Regin is an extremely complex piece of software that can be customized with a wide range of different capabilities, which can be deployed depending on the target,” according to Symantec Corporation (NASDAQ:SYMC).
Regin was designed for long-term intelligence gathering
The computer security company found that Regin was built on a framework designed for long-term intelligence gathering operations without being detected. Symantec Corporation (NASDAQ:SYMC) said that the malware was developed by a well-resourced team of developers given its complexity and sophistication.
According to the computer security company, Regin is different from traditional advanced persistent threats (APT), which normally hack specific information particularly intellectual property.
Symantec Corporation (NASDAQ:SYMC) found that Regin is intended for data collection and continuous monitoring of target individuals of organizations. The company found that the malware has been observed in different organizations including private companies, government entities and research institutes. The threat was also geographically diverse (10 different regions).
Symantec says Regin is a multi-staged, modular threat
Symantec Corporation (NASDAQ:SYMC) explained that Regin is a multi-staged, modular threat, which means it has several components that are dependent with each other to perform attacks.
Regin’s modular approach provides flexibility to the threat operators to deploy custom features intended against a particular target. The approach also makes it difficult for security experts to analyze the threat. Symantec Corporation (NASDAQ:SYMC) said such modular approach has been observed in other sophisticated malware families including Flamer and Weevil.
According to the computer security company, Regin’s multi-stage loading structure is the same to the ones observed in the Duqu/Stuxnet family of threats.
Symantec Corporation (NASDAQ:SYMC) explained that Regin has six-stage architecture. Its initial stage included the installation and configuration of the internal services of the threat and the last stages bring the main payloads of Regin into play. Regin stores data files and payloads on disk in encrypted virtual file system files.
The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist,” according to the company.
Symantec Corporation (NASDAQ:SYMC) started investigating the malware last year and found two versions of Regin. The version 1.0 was deployed between 2008 and 2011 and the version 2.0 deployed in 2013 to present.