Regin is a highly targetted malware designed to watch over just a handful of targets, with only around 100 infections uncovered since 2008, including the famous cryptographer Jean-Jacques Quisquater. It entails “a degree of technical competence rarely seen,” according to Symantec.
Known targets are government bodies, banks, small businesses and academics.
Quisquater have been targeted directly which was discovered after federal police probed his machine thoroughly, as the initial scans showed no signs of malware. Following Quisquater:
“The used malware is very clever, very difficult to detect, nearly impossible to remove… In fact the malware was only active when I was outside my home. “ He also says that he was “not alone to be attacked in such a way”, and says that “Maybe the cryptography research is under surveillance”. More on Quisquater event.
The Regin Malware
Regin is a Windows spyware which saves some code in the Windows registry. Infection takes many stages. There is a “dropper”, a Trojan horse which can be installed by visiting a compromised website (initial infection), then the dropper determines the OS and installs more malware designed for taking screenshots, stealing passwords, monitoring the network and controlling the mouse.
Russia’s Kaspersky Lab said that Regin also infected cellular phone base stations. In one unnamed Middle Eastern country Regin apparently created its own private peer-to-peer network, in which the nodes included the office of the country’s president, a bank, an educational institution and a research facility.
Who Is Behind These High-Profile Targeted Attacks?
Regin was in operation since 2008/2009. Earlier in 2014 it became famous because Jean Jacques Quisquater has been hit by this malware, which was found during the investigations related to an alleged GCHQ attack on Belgian ISP Belgacom. Yet until now Quisquater and many other people told us that these attacks probably did not come from NSA/GCHQ. However now after more careful analysis by many experts, we are told that it is really very advanced and clearly related to targeted attack programs described by Snowden. Erik de Jong claims it does come from NSA/GCHQ and the analysis of timestamps in files shows that developers start working at 10AM UK time. F-Secure have also stated in a blog that this malware clearly “isn’t coming from Russia or China.”