Highly advanced backdoor trojan cased high-profile targets for years

23:53 Tuesday Nov 25, 2014


"Backdoor Regin" bears a resemblance to Stuxnet, was developed by a wealthy nation.

Researchers have unearthed highly advanced malware they believe was developed by a wealthy nation-state to spy on a wide range of international targets in diverse industries, including hospitality, energy, airline, and research.

Backdoor Regin, as researchers at security firm Symantec are referring to the trojan, bears some resemblance to previously discovered state-sponsored malware, including the espionage trojans known as Flame and Duqu, as well as Stuxnet, the computer worm and trojan that was programmed to disrupt Iran's nuclear program. Regin likely required months or years to be completed and contains dozens of individual modules that allowed its operators to tailor the malware to individual targets.

To remain stealthy, the malware is organized into five stages, each of which is encrypted except for the first one. Executing the first stage triggers a domino chain in which the second stage is decrypted and executed, and that in turn decrypts the third stage, and so on. Analyzing and understanding the malware requires researchers to acquire all five stages. Regin contains dozens of payloads, including code for capturing screenshots, seizing control of an infected computer's mouse, stealing passwords, monitoring network traffic, and recovering deleted files. Other modules appear to be tailored to specific targets. One such payload included code for monitoring the traffic of a Microsoft IIS server. Another sniffed the traffic of mobile telephone base station controllers.

Symantec researchers believe Regin was a sprawling framework that was used in multiple campaigns that data back to 2008 and possibly several years earlier. Liam O'Murchu, manager of operations for Symantec Security Response, told Ars that the roster of modules used against one target was often unique, an indication that Regin was used in multiple campaigns.

The Five Stages of Regin

"Essentially, what we think we're looking at is different campaigns where in one infection they needed to sniff your keyboard whereas in another infection they wanted grab the user name and password of the admin connected to a base station controller," O'Murchu said.

While almost half of the computers known to be infected by Regin were inside Internet service providers, Symantec believes they were attacked so the operators could spy on specific customers who used the ISPs. Similarly, telecommunication backbone providers, which at 28 percent accounted for the second biggest category of infected computers, were likely chosen so attackers could gain access to calls being routed through their infrastructure.

There is still much Symantec doesn't know about Regin. So far, company researchers are aware of only about 100 infections, a number that seems small for such a sprawling framework of malware. The researchers have yet to uncover the command and control system the attackers used to communicate with infected computers, and they still don't have any educated hunches about the country behind the malware. The malware is known to have been active from 2008 until 2011, when it was abruptly pulled by its operators for unknown reasons. Regin, which is the name Microsoft assigned to the underlying trojan, resurfaced in 2013. Symantec researchers became aware of the malware in December of that year.



< Back

    Add your comment

    We aim to have healthy debate. But we won't publish comments that abuse others

    1200 characters left





    © copyright 2013 Website News. All rights reserved.






    Website News is for and about the website design, development, marketing industry. We will endeavor to bring you up-to-date news and information to help you in your work as well as give you useful information and tips for your clients and their businesses.

    We are always keen for you to submit any information you find from elsewhere, or about your business, that you feel will be relevant.





    Contact Us:

    For advertising enquiries or to submit a story, please email us at:



    Website News

    Sign-up to Website News and create your universal Woogloo ID

    Your details

    Your login details

    Your address

    Is your address not being found?


    Company address

    Yes No

    To register on the Website News website you either need to use your
    exisitng Woogloo ID or create a new one (see below).

    Sign Up

    Why sign up?

    • Get access to Registered User's priviledges, which may include hidden pages, special features and special pricing, if they exist, on this website.
    • Get access to all sites powered by Woogloo V3 without having to enter your details everytime.

    Login Error

    Forgot your password?

    Enter your email address below and click 'Reset Password' Button

    What is a Woogloo ID

    Logging in...