Regin was discovered in a variety of organizations between 2008 and 2011; it then disappeared until 2013, when a new version resurfaced. The attack vector varies depending on the target, but it's believed that some people are tricked into visiting fake versions of well-known Websites and the malware is installed through the browser or an application. There has also been an unconfirmed instance in which the infection originated from Yahoo Instant Messenger.
Regin can conduct a wide range of operations once it infects a system, including screenshot-capturing, taking control of mouse functions, stealing passwords, monitoring network traffic and recovering deleted files. With highly customizable capabilities stemming from the modular design, Regin is geared toward monitoring individuals or organizations for long periods of time and has been used as an advanced persistent threat in spying operations against government organizations, infrastructure operators, businesses, researchers and individuals.
Regin malware uses a five stage approach in which every stage is hidden and encrypted, except for the first stage. Each stage relies on each other to function.
The first stage involves the installation and configuration of the internal services; this is the only one that is plainly visible on the system. The later stages involve distribution of the main payloads, which are stored as encrypted data blobs, either as a file or within a non-traditional file storage area. Individually, each stage contains little information on the complete process, so it's only possible to analyze and understand the threat if all stages are visible at the same time. This multi-stage architecture is similar to that of Stuxnet and Duqu.
Regin uses a command-and-control infrastructure, which helps it avoid detection. It relies on legitimate communication channels, such as custom TCP and UDP protocols and embedded commands in HTTP cookies, to help it covertly communicate with its user(s).
The majority of Regin infections have occurred within small businesses and individuals. Other targets include telecom companies. The attacks have been geographically diverse, spreading in ten different countries, mainly in Russia and Saudi Arabia.
Regin malware has been linked to the U.S., UK and Israeli governments as part of long-term government-sponsored cyber-espionage campaigns.