1st Duqu. Next came Stuxnet. Now Regin.

An “extremely complex” and “stealthy” Stuxnet Equivalent spying program has been stealing data from ISPs, energy companies, airlines and research-and-development labs.

Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.

regin

Regin is a highly-complex threat which has been used in systematic data collection or intelligence gathering campaigns. The development and operation of this malware would have required a significant investment of time and resources, indicating that a nation state is responsible. Its design makes it highly suited for persistent, long term surveillance operations against targets.

The discovery of Regin highlights how significant investments continue to be made into the development of tools for use in intelligence gathering. Symantec believes that many components of Regin remain undiscovered and additional functionality and versions may exist. Additional analysis continues and Symantec will post any updates on future discoveries.

Read the Symantec paper on it here.

This entry was posted in Security Blog and tagged , , , , . Bookmark the permalink.