Regin: Stuxnet's Best Spying Malware Cousin

  1. Regin. /ˈreɪɡɪn/ 1. (Norse myth) a dwarf smith, tutor of Sigurd, whom he encouraged to kill Fafnir for the gold he guarded.

Regin is essentially a murderous dwarf who is caught/killed by his own greed. This Norse mythology is at the core a description of the Regin virus that has injected itself across the globe and today has finally been brought to light by Symantec and Kaspersky researchers. The Regin cybvervirus is a virus that has been tracked over the course of the past few years by security firms like Symantec, Kaspersky and McAfee, but they simply did not have enough data to build the whole picture of the computer virus’ scope nor its target. As a result, this research has been going on for quite some time and today multiple security companies have published their findings on the Regin malware and what it seeks to accomplish once it has infected a system.


According to Symantec’s research, Regin is being used as a covert espionage tool to go after very specific targets and infect them at a very deep level to either gain access to information or to gain access to a user of that network’s information. They say that Regin is a very complicated and highly encrypted piece of malware that hides its final form from anyone looking to find it unless they have access to all five stages of the malware’s unpacking. They detail the process in their technical whitepaper but it is essentially a multi-stage virus that hides its ultimate target and execution unless users can obtain every form/stage of the virus’ unpacking until it becomes the final payload.


This multi-stage approach is similar to what was seen from Duqu and Stuxnet and is once again very likely to be a sovereign-built piece of malware from some government. And as you can see, the targets that it goes after are very broad and appear to be focused mostly developing countries with Russia, Belgium and Germany being the exceptions. Those countries according to Kaspersky are:


However, if you use Symantec’s data, the list of countries actually expands to include Saudi Arabia, Austria, Ireland and Mexico.

Additionally, Kaspersky discovered a strong attack on GSM networks, especially in the case of Belgium where an entire operator was infiltrated by this malware and had publicly announced that they had been attacked, but were not aware of the perpetrator nor the target. What’s interesting, however, is that both Kaspersky and Symantec had discovered that this malware’s structure and payload delivery system (the mutli-stage approach) were specifically designed to obscure the malware’s existence and once it had infected a system it was designed to be inconspicuous as it continued to linger on the infected system, making detection incredibly difficult.