Regin, the RAT used against "Google Russian" Yandex

(To Francesco Rugolo)
17/07/19

In the world of computer security, the potential risks to companies and institutions, in the form of malware e toolkit they are numerous and widespread.
Groups of experts, often sponsored by governments for monitoring and espionage, fight a war that has only the means with which it is fought but with more than tangible implications. This has been proven during the attack on Iran through malware Stuxnet (v.articolo).

Also from the creators of Stuxnet, namely from the IT espionage group connected to the NSA (National Security Agency), one of the supposedly comes from toolkit more complex and powerful in recent years, the so-called Regin.

Regin is categorized as a RAT (Remote Access Trojan), was discovered by various computer security companies such as Kaspersky labs and Symantec in the autumn of 2013 even though it was present and active well before.

The first use of Regin is dated 2008 with its 1.0 version, active until 2011. In the 2013 it returns with a new 2.0 version even if it is speculated on possible intermediate versions active during these two years of pause.

What makes this software special is the incredible ability to be adapted to the targeted target, often institutions and companies. Regin has hit a large percentage of Internet Service Providers and Telcos located mainly in Russia and Saudi Arabia, but has also caused problems for European institutions and companies.

But how does it Regin to be so effective, how is it used to appropriate sensitive information?

Regin has various features, mainly used to monitor and steal information such as passwords and any type of file, can take screenshots, take control of mouse and keyboard functionality, monitor data traffic on a network etc.

The software architecture is complex and modular, divided into 6 stages. Below for those who want to learn more here is the link to the Symantec document which explains in detail the architecture of the framework with references to the type of encrypting and protocols used (link).

The Regin infection vectors are unclear precisely because of its ability to be adapted to different targets in different situations. In one case the infection vector was the application Yahoo! instant messenger, in other cases usb infected.

The activity of Regin it does not stop at the 2008-2011 and 2013-2014 years alone but goes on to the present day, with a last great attack perpetrated against the Russian giant Yandex at the end of 2018.

We still do not have all the information necessary to fight and identify Regin, which manages to remain unnoticed for months in a network before being discovered.

This makes us understand the complexity of the software and the importance it covers in the environment of computer espionage, an environment that today more than ever is the theater of wars that have the power to influence companies, institutions and entire nations.

Sources:

https://www.symantec.com/it/it/outbreak/?id=regin

https://www.kaspersky.it/blog/regin-la-campagna-apt-piu-sofisticata/5306/

https://securityaffairs.co/wordpress/87707/breaking-news/regin-spyware-y...

https://www.reuters.com/article/us-usa-cyber-yandex-exclusive-idUSKCN1TS2SX