Backdoor trojan discovered stalking high-profile targets

Researchers have unearthed an advanced malicious software application used to spy on private companies, governments, research institutes and individuals in ten countries.

The researchers at Norton antivirus maker Symantec said they had discovered an unidentified "nation state" was likely the developer of the malware called Regin, or Backdoor.Regin, and that it had been active since 2008. 

Symantec said Regin's design "makes it highly suited for persistent, long-term surveillance operations against targets," and said it was withdrawn in 2011 but resurfaced in 2013.

The malware uses several stealth features "and even when its presence is detected, it is very difficult to ascertain what it is doing," according to Symantec.

The company said "many components of Regin remain undiscovered and additional functionality and versions may exist".

Almost half of all infections occurred at addresses of internet service providers although no specific countries or victims were identified. The report summised targets were customers of the companies rather than the companies themselves.

About 28 percent of targets were in telecoms while other victims were in the energy, airline, hospitality and research sectors.

Symantec described the malware as having five stages, each "hidden and encrypted, with the exception of the first stage." It said "each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyse and understand the threat."

Backdoor.regin architecture. Source: Symantec

Regin also uses a modular approach that allows it to load custom features tailored to targets, the same method applied in other malware, such as Flamer and Weevil (The Mask), the antivirus company said.

Some of its features were also similar to Duqu malware, uncovered in September 2011 and related to the Stuxnet worm, which was discovered the previous year and which is believed to have been written by spy agencies in the United States and Israel.

Symantec said Russia and Saudi Arabia accounted for about half of the confirmed infections of the Regin malware. Other countries affected included Mexico, Ireland, India, Iran, Afghanistan, Belgium, Austria and Pakistan.