Stealth malware found spying on telecoms, energy sectors

An advanced piece of malware has been uncovered, which has been in use as far back as 2008 to spy on governments, companies and individuals, Symantec said in a report released Sunday.

The Regin cyberespionage tool uses several stealth features to avoid detection that required a significant investment of time and resources, suggesting it's the product of a nation state, the antivirus software maker warned, without suggesting which country was behind it. The malware's design makes it highly suited for long-term mass surveillance, the company said.

"Regin's developers put considerable effort into making it highly inconspicuous. Its low key nature means it can potentially be used in espionage campaigns lasting several years," the company said in a statement. "Even when its presence is detected, it is very difficult to ascertain what it is doing."

Regin's highly customizable nature allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse's point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases.

Some of Regin's main targets include Internet service providers and telecommunications companies, where it appears the complex software is used to monitor calls and communications routed through the companies' infrastructure. Other targets include companies in the airline, energy, hospitality and research sectors, Symantec said.

The malware's targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico, and India.

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware's structure. All five stages had to be acquired to analyze the threat posed by the malware.

Symantec said the multi-stage architecture is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.

Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.

Cyberespionage is a sensitive subject, often straining diplomatic relations between countries. The US and China have tussled for years over accusations of electronic spying. The US has accused China's government and military of engaging in widespread cyberespionage targeting US government and business computer networks. China has denied the charges and accused the US of similar behavior targeting its own infrastructure.