One of the first Google results for “Regin malware” is from the U.S. Cybersecurity and Infrastructure Security Agency. It’s a Nov. 25, 2014, alert about the malware, providing an overview of Regin’s multi-stage structure.
The alert notes that the “sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns” had not been identified as targeting any organizations in the United States. This is not a huge surprise since Regin is thought to be the handiwork of the U.S. National Security Agency and the British Government Communications Headquarters (GCHQ).
Abuzz with revelations leaked by Edward Snowden, the intelligence and cybersecurity communities were fascinated by the depth to which the Five Eyes Alliance — the US, UK, Australia, Canada, and New Zealand — operated. Although Snowden’s leaks detailed surveillance of individuals, Regin itself targets major entities. Known targets include the Belgian telecommunications firm Belgacom and the European Union, as well as Russian and Saudi Arabian systems. Snowden’s leaks indicated Belgacom was an NSA target.
Regin’s origins
Regin is a remote access Trojan with five stages, all encrypted but the first. In order to deploy, each must be activated. Once in place, Regin allows hackers to capture keystrokes, monitor traffic, take screenshots, etc. In addition to its lack of targets in the U.S. and other Five Eyes countries, Regin contained source code offering clues to its origins, including references to cricket terms. Regin is a remote access Trojan with encypted stages and allows hackers to capture keystrokes, monitor traffic, and take screenshots.
Still, most computer users and system admins had little to worry about from Regin. Irish cybersecurity expert Brian Honan tweeted: “Remember, for the majority of companies out there, conficker poses a bigger threat to you than regin.”
Photo: Iaremenko Sergii / Shutterstock