SecureState Blog

Read SecureState's award winning blog.

How to Handle the State-Sponsored Stealth Spyware

Recently, security news has been focused on a particular new form of malware known as Regin. While the developer of this software remains officially unclear, most experts believe that Regin must have been developed by a group with large amounts of both time andMONEY, which points to it being state-developed or at the very least state-sponsored. Given the various identified targets of the malware, as well as some other details about the software, the most likely developers are the US and UK governments. This malware is even mentioned specifically in some of the leaked Snowden documents as being used in 2012 by the GCHQ (the UK equivalent to the US’s NSA).

While the usage of this malware has not always been clear, it has been used to infiltrate GSM networks of cell phone providers and retrieve various amounts of call data. Although the full extent of this malware’s capabilities are still being explored, it is safe to assume that should it attack a system, this malware poses a very large threat.

Are You at Risk?

Right now, most users have a relatively low chance of becoming infected with this particular malware. In their whitepaper detailing the workings of this malware,KASPERSKY discussed that it has only been found in 14 countries so far, which include:

• Afghanistan

• Algeria

• Belgium

• Brazil

• Fiji

• Germany

• India

• Indonesia

• Iran

• Kiribati

• Malaysia

• Pakistan

• Russia

• Syria

Within these countries, only 27 different targets have been specifically identified as infected. As of now, the malware seems relatively limited in its scope. However, just because it is in a limited number of systems now does not mean it won’t spread.

The actual method of transmission remains fairly uncertain. Kaspersky confirms that in one instance, the malware was spread using Yahoo Messenger, but otherwise, transmission methods remain unknown. In order for the malware to run on your system, it has to be downloaded specifically onto it, which can be done in any of the usual ways. However, given the specific targeting of this attack, users should express only heightened levels of caution in the targeted countries and industries.

Detection and Protection

Currently, detecting Regin is complicated. The malware works in five separate stages, and the easiest point for detection is the first. During this stage, Regin exists as an executable file on the person’s computer, most often based on some other code. Various versions of Regin will often contain blocks of useless code from these other programs as a decoy. This file can be detected, but has already shown up in several different forms, making detection more difficult.

After this first stage, detection becomes increasingly more difficult. Regin hides its various modules in NTFS Extended Attributes (EAs), splitting large files into several blocks that can later be joined, decrypted, and executed in memory. Additionally, from the second stage onward, Regin can cover its own tracks, removing startup code from the infected computer as it is no longer needed. Finally, Regin stored most of its code in encrypted file storages.

With all this in mind, US-CERT has released a list of various indicators of compromise (IoCs) for Regin. US-CERT’s IoCs are a list of known attributes of a particular piece of malware that can be added to network security solutions to provide them with the ability to monitor for that malware. For example, including the list of IP addresses from the US-CERT IoCs on your network intrusion detection system can confirm if those addresses are being connected to, indicating a Regin presence on your network. Using egress filtering (as discussed by SecureState here) can provide even more information on the actual flow of traffic over the network by Regin as well as allowing you to block communication between Regin and the attackers themselves.