Thanks to the work of security experts from all over the world, the discovery and elimination of security bugs, viruses and other malware is relatively fast, especially in this Internet age in which information crosses the world in seconds; Therefore, no matter how fat the attack, users are almost always safe just by updating at the moment. However, there are also very rare cases in which when the attack vector has been discovered it is already too late, and now Symantec has announced that it has found one of these cases.
A very competent espa
Regin, which is the name of the discovered Trojan, has been running since at least 2008 (or even before), an eternity in the sector. Not only that, but everything that has been found out about it indicates that it is not a program created by fans but it is a really powerful weapon, hence it has remained in the shade for six years. It is estimated that for its development months or even years of work were invested, a project that needs financing and knowledge that no one has; in addition, its structure and operation are similar to other examples of malware developed by countries. With all these data, Symantec concludes that it is a Trojan developed by a government agency in some country with the aim of spying.
And how has it managed to go unnoticed until now? Its five-layer structure is largely to blame, of which only the first is not encrypted; the rest is a maze that we can only go through if we have completed the previous stage. Each layer unlocks the next, and it wasn’t until the researchers conquered all five layers that they knew what they were up against. On the various layers there is code to take screenshots, take mouse control, get passwords, or capture network traffic; not only that but its modular design allows the development of more functions, customizing the attack.
Regin is estimated to be mainly present in Russia and Saudi Arabia, although there are also infected in Europe; 48% of infected computers (Windows systems only) belong to ordinary citizens and small businesses, so its purpose is not clear; In addition, at the moment only 100 infections have been discovered, a figure too low for what it is capable of, so there are two possibilities: either they have not been discovered yet, or it is a specialized tool to attack specific targets and not to drop it. In the net.
Source | Symantec | Ars Technica
