Symantec
has revealed details about malware called "Regin". This
shows a multi-stage attack that is capable of being adapted easily to
gather different types of data. According to Symantec this is not
just screen grabs and password information but something far more
sophisticated. Symantec claims that it has identified dozens of
different payloads that Regin has access to.
Once
Regin has acquired the data it encrypts the data and then exfiltrates
it. The stolen data may never be written to disk but may be sent back
immediately and the encryption means that security devices and
software do not easily detected this.
Symantec
describes how Regin uses special features to stay below the detection
radar: "These include anti-forensics capabilities, a
custom-built encrypted virtual file system (EVFS), and alternative
encryption in the form of a variant of RC5, which isn’t commonly
used. Regin uses multiple sophisticated means to covertly communicate
with the attacker including via ICMP/ping, embedding commands in HTTP
cookies, and custom TCP and UDP protocols."
Regin
has been found in 10 countries and the targets seem to be key
business sectors, individuals and small businesses. The full list of
countries and targets which Symantec gives are:
- 28% Russian Federation
- 24% Saudi Arabia
- 9% Mexico
- 9% Ireland
- 5% India
- 5% Afghanistan
- 5% Iran
- 5% Belgium
- 5% Austria
- 5% Pakistan
- 48% Private individuals and small businesses
- 28% Telecoms backbone
- 9% Hospitality
- 5% Energy
- 5% Airline
- 5% Research
Symantec
describes Regin as follows: "In the world of malware threats,
only a few examples can truly be considered groundbreaking and almost
peerless. What we have seen in Regin is just such a class of
malware."
No comments:
Post a Comment