Regin spyware has displayed a “degree of technical competence rarely seen”, Symantec said. Used in systematic campaigns since at least 2008, the backdoor trojan targets Windows users. It is believed that Regin took years to develop, the creators have taken such great so as to hide their trackers, let alone the malware’s tracks, which slowly infiltrates. It has been proposed that it was probably a nation state that developed it so as to serve its foreign intelligences’ offices.
The stealthy malware seems to be a multi-staged threat, each of which is encrypted and hidden, so as to deploy a domino effect. It is only once an analyst has acquired access to all five stages, that the malware can be fully analyzed. "Many components of Regin remain undiscovered and additional functionality and versions may exist," Symantec noted. Additionally, it seems that the spyware is completely customizable. It was developed for a long-term surveillance operation against the target.
The original version of Regin was seen between 2008 and 2011, however it’s difficult to say whether or not it existed before it as the initial detection is very difficult. However, in 2011, a massive decrease in infections occurred until a new version of the spyware emerged in 2013. Targets have varied from small businesses, to research institutes, to telecom companies, to airline companies. Additionally, the virus has been recorded in more than ten different countries, primarily in Russia and Saudi Arabia.
Since the latest version, nearly 100 Regin infections have been identified. It’s capabilities include remote access to victims’ computers remotely, taking screenshots, controlling the mouse pointer, stealing data such as passwords, recovering deleted files, and monitoring network traffic.