The Regin Espionage Toolkit [REGIN MALWARE]

Journalists are calling it the worlds most advanced malware example. But before we jump to conclusions, let take a deeper look at some resources which have been provided to the public.

TITLE  The Regin Espionage Toolkit
DATE  Sunday, November 23, 2014
AUTHOR  F-Secure
PAYWALL  No
LINK  https://www.f-secure.com/weblog/archives/00002766.html
DOWNLOAD  
TAGS  regin

Infection vector and payloads
The infection vector varies among targets and no reproducible vector had been found at the time of writing. Symantec believes that some targets may be tricked into visiting spoofed versions of well-known websites and the threat may be installed through a Web browser or by exploiting an application. On one computer, log files showed that Regin originated from Yahoo! Instant Messenger through an unconfirmed exploit.

Regin uses a modular approach, giving flexibility to the threat operators as they can load custom features tailored to individual targets when required. Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors, further evidence of the level of resources available to Regin’s authors.

ss_regin

There are dozens of Regin payloads. The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.

More specific and advanced payload modules were also discovered, such as a Microsoft IIS web server traffic monitor and a traffic sniffer of the administration of mobile telephone base station controllers.