Recently, the leading companies producing computer security products released their reports on the latest malware threat called Regin, which is known to be tracked by security experts since 2008. However, no country has taken responsibility for this threat. There is substantial evidence that the Regin, pronounced “Region”, malware is operated by the United States.
The Regin malware is a sophisticated threat that is used for monitoring governments, businesses, researchers, and individuals. The malware offers high technical competence, which allows the attackers to easily achieve their goals.
The Regin malware was detected in 10 countries, which are Saudi Arabia, Mexico, Ireland, Afghanistan, Iran, Belgium, Austria, Russia, Pakistan, and India. The results show that only non-English speaking countries have been affected, and countries such as Australia, Canada, the UK, and the United states are not found in the list of victims.
It has been estimated that almost half of the infected systems are private individuals and small businesses. Moreover, attacks on telecoms companies have been designed by the holders of the Regin malware.
How does the Regin malware operate?
The Regin malware is a multi-stage Trojan horse which encrypts and hides every stage. Upon executing the infection, a domino chain of decryption of the following stage starts. In total, there are five stages. The analysis of the threat was possible only after acquiring all the stages. The threat makes a lot of changes in files and registry keys in order to not to be detected by anti-virus products.
Upon execution, the Trojan creates two kernel drives: subclass.sys and adpu160.sys.
The list of payloads is impressive because it includes several Remove Access Trojan (RAT) features, such as capturing screenshots, recording passwords, controlling the mouse’s point-and-click functions and manipulating other user interface features, restoring deleted files, which is a low-level forensic operation, and monitoring network traffic. Moreover, the infection collects process and memory information and navigates through the system.
The Regin malware uses several communication means to transmit and receive information, including ICMP/ping, custom TCP and UDP protocols, and embedding commands in HTTP cookies.
How does the Regin Trojan infect the operating system?
As regards the process of system infection, the threat uses browser exploits which are activated when the victim click on a link in an email or visits a compromised website. The case of the Regin malware is one example of how it is important to pay close attention to online security and disregard suspect email senders, links, and websites.
How to minimize exposure to malware threats?
In order to prevent malware removal-related issues, it is crucial to keep the system and security programs up-to-date. Additionally, web browsers, such as Internet Explorer, Google Chrome, and Mozilla Firefox, should be updated whenever updates are available in order to avoid security vulnerabilities. Pop-up notifications and advertisements should not be click on as they are likely to be generated by adware programs or unreliable websites, depending on the circumstances. It is also advisable to check the list of installed programs on a regular basis and remove those programs that are likely to have been installed without permission.