Symantec on Sunday published research describing a new family of malware that it claims has been circulating, quietly, for close to six years. (Gulp!)
According to a post on Symantec’s Security Response blog, Regin infections have been observed as far back as 2008, but the malware went quiet after about 2011, only to resurface in 2013 in attacks on a wide range of targets including private and public entities and research institutes. Symantec also observed the malware used in attacks on telecommunications firms and say it appears the malware was being used “to gain access to calls being routed through their infrastructure.”
In a separate research paper, Symantec describes the malware, dubbed “Backdoor.Regin” as a multi-staged threat that uses encrypted components – installed in a series of stages – to escape detection. The key the malware’s stealth is compartmentalization, Symantec found: “each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.”
The use of encryption makes Regin similar to sophisticated malware families like “Flamer” and “Weevil,” Symantec said. The malware’s use of modular loading makes it akin to super-stealthy nation-state malware like Stuxnet.
However, unlike those so-called “APT” (or advanced persistent threat) malicious programs, Regin is opportunistic: collecting data and monitoring targeted organizations, rather than trying to achieve the compromise or destruction of a specific target.