http://arstechnica.com/security/2014/11/highly-advanced-backdoor-trojan-cased-high-profile-targets-for-years/
By Dan Goodin
Ars Technica
Nov 23 2014
Researchers have unearthed highly advanced malware they believe was
developed by a wealthy nation-state to spy on a wide range of
international targets in diverse industries, including hospitality,
energy, airline, and research.
Backdoor Regin, as researchers at security firm Symantec are referring to
the trojan, bears some resemblance to previously discovered
state-sponsored malware, including the espionage trojans known as Flame
and Duqu, as well as Stuxnet, the computer worm and trojan that was
programmed to disrupt Iran's nuclear program. Regin likely required months
or years to be completed and contains dozens of individual modules that
allowed its operators to tailor the malware to individual targets.
To remain stealthy, the malware is organized into five stages, each of
which is encrypted except for the first one. Executing the first stage
triggers a domino chain in which the second stage is decrypted and
executed, and that in turn decrypts the third stage, and so on. Analyzing
and understanding the malware requires researchers to acquire all five
stages. Regin contains dozens of payloads, including code for capturing
screenshots, seizing control of an infected computer's mouse, stealing
passwords, monitoring network traffic, and recovering deleted files. Other
modules appear to be tailored to specific targets. One such payload
included code for monitoring the traffic of a Microsoft IIS server.
Another sniffed the traffic of mobile telephone base station controllers.
Symantec researchers believe Regin was a sprawling framework that was used
in multiple campaigns that data back to 2008 and possibly several years
earlier. Liam O'Murchu, manager of operations for Symantec Security
Response, told Ars that the roster of modules used against one target was
often unique, an indication that Regin was used in multiple campaigns.
"Essentially, what we think we're looking at is different campaigns where
in one infection they needed to sniff your keyboard whereas in another
infection they wanted grab the user name and password of the admin
connected to a base station controller," O'Murchu said.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
