Regin is a multi-purpose data collection tool which dates back several
years. Symantec first began looking into this threat in the fall of 2013. Multiple
versions of Regin were found in the wild, targeting several corporations,
institutions,
academics, and individuals.
Regin has a wide range of standard capabilities, particularly around monitoring
targets and stealing data. It also has
the ability to load custom features tailored to individual targets. Some of
Regin’s custom payloads point to a high
level of specialist knowledge in particular sectors, such as telecoms
infrastructure software, on the part of the
developers.
Regin is capable of installing a large number of additional payloads, some
highly customized for the targeted computer.
The threat’s standard capabilities include several remote access Trojan (RAT)
features, such as capturing screenshots and taking control of the mouse’s
point-and-click functions. Regin is also configured to steal passwords, monitor network traffic, and
gather information on processes and memory utilization. It can
also scan for deleted files on an infected computer and retrieve them. More
advanced payload modules designed with
specific goals in mind were also found in our investigations. For example, one
module was designed to
monitor network traffic to Microsoft Internet Information Services (IIS)
web servers, another was designed to
collect administration traffic for mobile telephony base station controllers,
while another was created specifically
for parsing mail from Exchange databases.
Regin goes to some lengths to hide the data it is stealing. Valuable target
data is often not written to disk. In some cases, Symantec was only able to
retrieve the threat samples but not the files containing stolen data.