Tech Time Warp: The malware RAT known as Regin
On Nov. 25, 2014, the Cybersecurity and Infrastructure Agency (CISA) issued an alert about Regin, a “sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns.” Journalists reported the entities affected by Regin included airlines, telecom companies, energy companies and private individuals. Interestingly, CISA noted that at the time of its bulletin, Regin was not thought to have had any targets in the United States.
A remote access Trojan (RAT), Regin was notoriously slippery to detect. It featured a modular design with multiple steps, each dependent on the previous for launch. Once activated, Regin, could record passwords and monitor network traffic and computer processes. As a prevention means, CISA recommended typical good cybersecurity protocols (use and maintenance of anti-virus software, keeping software up to date), as well as deploying Indicators of Compromise (IOCs) to aid in malware detection. The name “Regin” came the murderous dwarf of Norse mythology whose own greed was his downfall.
Regin’s modular design made it similar to Stuxnet, malware traced back to the U.S. government that targeted Iranian nuclear centrifuges. But while Stuxnet sought to damage operations in order to slow development of Iran’s nuclear program, Regin was seemingly designed to quietly collect data in the background without harming the normal course of business. Among likely state-sponsored pieces of cyberespionage, that made it more like the malware later used in the 2017 Equifax data breach, which has been linked to the Chinese government.
As security analysts and journalists began investigating Regin, they noticed fact patterns linking the malware to the intelligence-gathering operations previously leaked by former National Security Agency contractor Edward Snowden.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.