New malware, threats, vulnerabilities and attacks will always gather the most attention, and this attention always...
focuses on how these threats will affect enterprises rather than noting how they could have been mitigated. Additionally, little attention is given to how both existing security controls could have helped combat the threats, and how the new threat builds off of prior malware samples.
Whenever a new or updated threat is detected, it is critical to assess these two things. After new aspects of an updated threat are identified, enterprises should evaluate how their information security program currently addresses the threat and if -- and how -- it should be updated if need be.
This is true in the case of Regin, a cyber-espionage malware toolkit that broke at the end of 2014. Symantec Corp. released a whitepaper about the malware that included many of the standard malware methods along with a new step or two, proving its evolving sophistication.
In this tip, I will discuss the Regin malware, what makes it different, how enterprises can defend against it, and what it means to enterprise malware detection and prevention.
The Regin malware is similar to prior cyber-espionage malware, such as Flame or Stuxnet, as it uses modular software development or structured programming. However, as security expert Bruce Schneier points out, many of its components are government grade. It has also been linked to British and American intelligence services.
Symantec and other outlets have reported Regin malware samples from as far back as 2008, as well as antimalware definitions back to 2011. A Kaspersky Labs' report even claims some of the earliest Regin malware samples are from 2003. However, only in November did companies publically publish the information after Symantec learned The Intercept was going to publish an article about it.
Much of the information currently being disclosed about Regin reports that is being incorporated into non-state-sponsored malware, although Regin did had some of this functionality in 2008.
One of the key aspects of Regin is that it appears to have knowledge of the target environment and vulnerabilities in that environment that could be exploited. Other targeted attacks like Stuxnet and Flame similarly required significant information about the target network and devices to be successful; without specific details on the centrifuges, it is unlikely Stuxnet could have damaged them. Regin, Stuxnet and Flame all use a modular design, which makes it easier for enterprises to maintain defenses and issues patches as new versions are detected.
The latest version of Regin has functionality to use multiple payloads and remote access tools, to steal passwords, to monitor network traffic and to gather data on the local system much like previously discussed Trojans, such as BackOrifice and Dameware, or even standard system management tools. Regin uses all of these different capabilities in six different stages, as outlined by Symantec on its blog:
- Set-up: The initial dropper that will execute code on the endpoint
- Stage 1: Loads code from the dropper
- Stage 2: Continuing to load the code in a decrypted form
- Stage 3: Setup of the kernel framework
- Stage 4: Setup the usermode framework and kernel modules
- Stage 5: Lastly, execute the payload modules to exploit the system
While Regin can be modified based on the specific target and goals, the initial infection vector used in stage one has still not been identified.
All of these different modules add up to create a very potent malware.
How enterprises can defend against Regin
While a vast majority of enterprises will never need to defend against malware as advanced as Regin, Stuxnet or Flame, the most effective attack techniques from this malware will likely be adopted by malware authors for other varieties of malware, and therefore enterprises should be aware of them. Evaluating how to defend against Regin -- or other advanced threats -- in the future could help prioritize resources for defending the enterprise.
Symantec and other vendors have updated their antimalware and defense tools to combat Regin. They have also released indicators of compromise that can be used to investigate a system that was flagged by an antimalware tool. Complementing this with threat intelligence of new indicators of compromise (like updates to the command-and-control system) can help improve detection. Additionally, network tools that can detect malformed packets or protocols can identify the outgoing tunnel used for the command and control; an incident responder could then investigate the system to identify any of the indicators of compromise.
Note that antimalware vendors depend on customers to submit unknown malware samples for analysis so they can investigate and release updated detection capabilities. Enterprises should continue to submit unknown malware to help vendors improve the defense capabilities of their products.
Targeted attacks using malware will continue to happen. There is no risk, threat or vulnerability assessment that will stop a well-funded and supported attacker.
However, detecting the attack and being able to stop it as soon as possible are critical to the survival of enterprise IT systems. The Regin malware was part of a sophisticated attack that an enterprise must assess to determine if it needs to defend against those types of threats in the future.
About the author:
Nick Lewis, CISSP, is a program manager for Trust and Identity at Internet2, and prior information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and telecommunications from Michigan State University in 2002.
Cyber-espionage and cybercrime are continual and evolving threats. Learn more about cyber-espionage and cybercrime and what every organization should be doing to protect itself.
Get the latest malware news and advice from SearchSecurity