Real news from the privacy world

GCHQ And NSA Might Be Behind New Variant Of Stuxnet-Like Malware Called Regin

NSA Regin Malware

A new sample of customizable malware has been discovered by Symantec. This malware is similar to Stuxnet worm – which used to steal data from telcos, SMEs, energy companies and even governments since 2008. According to the experts, either UK or US government could be the threat actor.

Symantec has said in the new report that has been published recently, that malware called ‘Regin’ is the bearer of the state-sponsored operation hallmarks’ and has been operating since early 2008, focusing especially on telecom operators, government departments, various other private sector organizations, academics and individuals.

Regin malware has been first discovered operating in between of year 2008 and 2011 before, for no apparent reason, being ‘abruptly withdrawn’. Now a new version reappeared from 2013 which targets government entities, private companies and research institutes – however research shows that nearly half of all infections are accounted by SMEs and targeted individuals.

According to the research of all infections 28 percent were from Russia and 24 in Saudi Arabia. Belgium, Austria and Ireland were mostly affected by infections with 5 percent, 5 percent and 9 percent respectively.

Regin malware has some similarities to Stuxnet and APT families such as Duqu and Flamer. However Symantec says that it still has differences since Regin simply monitors targets and collects data. The malware uses an approach which is multi-staged with each stage being hidden and even encrypted. It is not possible to read the complete package unless all stages are decrypted.

Regin is also uncommonly crafty; on infected machines most code cannot be noticed the data that is stolen is also hidden from view. Its motives can be quite difficult to determine even after it’s detected – Symantec was able to analyze the payload only after numerous sample files were decrypted.

Regin malware’s also possessed stealth features such as alternative encryption (a variant of pretty rarely-used RC5 is used by it), EVFS (a custom-built virtual file system) and anti-forensics capability. Regin uses ICMP/ping to communicate back to the attacker, inserting commands in custom UDP and TCP security protocols and HTTP cookies.

Right after the release of the report, Dutch security firm Fox-IT’s spokesman stated that a combination of the UK and US could be the nation state behind the Regin malware.

Erik de Jong, a person responsible for computer security incident response team in Fox-IT, have said that numerous versions of malware has been watched over by the company and noted that its basis of design render it more of a framework for malware which can be used on a broad range of target. For instance, Erik de Jong said that it would be possible to include custom modules into and sniff email traffic.

While adding that this framework could have been used for over ten years, he said “we think that it’s not very specific – it could be considered as a framework in such a way that it could actually be pretty flexible and used for various purposes”.

“The wheel does not need to be reinvented all the time – it also makes sense to just re-use something.”

De Jong felt quite confident about who the threat actor might be. “We think that this malware could be a making of the UK and US [governments].”

A blog post that was issued by F-Secure in which, earlier in the day, it was saying that Regin has been spotted it in 2009. F-Secure believes that neither the Chinese nor Russian governments are behind this malware.

Either way it is not a surprise or a new thing that governments use some kind of malware or cookies to spy on everyday internet users. The same way ISPs have the power over the users’ internet freedom. A VPN could be used both as a tool to break shackles that governments and ISPs put on people and as a means of protection. We offer amazing features and encryption to protect yourself from any kind of hackers and anyone that would want to track your activity. No logs policy makes thousands of our users that we appreciate even happier!

Try NordVPN for Free!

3 days of full security and privacy, with no strings attached


Your email address will not be published. Required fields are marked *

Leave a Comment

Your email address will not be published. Required fields are marked *