For more than a decade some entities, identified by pundits as probably the NSA and Britain’s GCHQ, have been seeding “telecom operators, government institutions, multi-national political bodies, financial institutions, research institutions [and] individuals involved in advanced mathematical/cryptographical research” with malware called Regin.
Regin can be thought of as the B-2 bomber of cyberware. It was a vehicle for different kinds of payloads which dropped software components in the target systems. These components constituted a secret library which could later be invoked by some signal or event, or which routinely interacted with other components in ways that are as yet poorly understood. Regin came to public attention when researchers at Symantec realized that one of the ‘viruses’ they were cataloging was only the tip of a shadowy iceberg.
Even so, there is still much about Regin that they do not understand. They have, for example, not identified a reproducible infection vector, and these may have been customized for attacks. There are also “dozens of Regin payloads,” providing for all the usual things like password stealing, captured screens, stolen files — including deleted files — and more.
The malware also makes use of non-standard and odd techniques as a means of stealth. For example, it has a custom-built encrypted virtual file system. Symantec believes that many components of Regin remain undiscovered.
Nor will they ever. Regin was versioned and its successor has moved on in ways nobody in the public domain wants to talk about. The old versions created encrypted virtual file systems on target systems. They would look like noise or empty space on the hard drive. But Regin would “see” it, with its special software glasses and use it just as easily as you might a CSV file. Those invisible files could store screenshots as when you are entering your credentials into your bank’s ‘unhackable’ screen keyboard or intercept the keyboard interrupts of letters as you type. It would squirrel away a trace of emails, chats and the history of all your browsing in this invisible file system. Then at the opportune time or on command, it could upload the whole shooting match via some other zombie device and hence by routes devious and circuitous to the NSA.
Regin could colonize networked devices.