We're all used to hearing about malware threats, with new variants of existing malware families appearing on a seemingly daily basis. What is far less common though is a totally new threat appearing, especially one that has apparently been operating unchallenged since 2008. Research published by Symantec describes just this; a new "ground breaking and almost peerless" malware threat known as Regin.
Regin is a highly sophisticated piece of malware that is built for long term data gathering and has been implicated in attacks against government organizations and the private sector. The malware is multi-staged and comprises of a number of advanced modules which allow it to be customized to match a particular target. This modular approach has proven successful before with APT's such as Careto and Flame, however Regin really raises the bar with advanced anti-forensics and stealth features. Modules that target specific telecoms software and IIS web servers demonstrate a highly specialist knowledge by the malware developers.
The malware infects the machine in six stages
- Stage 0 - Writes registry keys and executes next stage
- Stage 1 - Uses admin rights to load driver
- Stage 2 - Uses admin rights to load driver
- Stage 3 - Uses admin rights to load modules and write to HKLM registry key
- Stage 4 - Uses admin rights to load kernel drivers and encrypted containers
- Stage 5 - Uses files now embedded in the OS to begin stealing data
So how do you safeguard against such an advanced threat that has escaped detection for so long?
It's time to get proactive
The answer is to be proactive about your IT security, not reactive. Antivirus solutions will protect you once the threat is discovered and becomes known, but what happens when Regin evolves? And what about the risk that has been facing your business for the last 6 years?
With a reactive approach, businesses are playing a never-ending game of cat and mouse.
Why not put solid measures in place to prevent it becoming a threat in the first place? The reality is that by being proactive now and making your security posture futureproof, is the only way to stop advanced threats like Regin taking hold.
This is where proactive technologies such as Defendpoint's Privilege Management module come in to play. It's a fact that privilege management alone would prevent most of the stages of Regin, just as it would have prevented 10 of the 12 steps involved in the Home Depot breach.
This malware's stealth and sophistication is reliant on exploiting admin privileges to install kernel drivers and setup system services. This allows the malware to embed itself deep within the OS and steal data. If we remove the access to an admin account the malware will be blocked at Stage 1 preventing it from loading in the advanced modules and gaining persistence.
As Regin potentially came from a spoofed website or installed through a browser exploit, we can also leverage Defendpoint's advanced Sandboxing and Application Control modules to further reduce the attack surface. Sandboxing can be used to contain unknown web content in a secure container, this prevents the Stage 0 dropper gaining any persistence on the system. In the event that the browser is compromised, file and registry changes are contained within the secure sandbox and isolated from the user's private data. Application control can allow list trusted applications and prevent malicious downloads from executing, this prevents the user being tricked into running an executable.
Antivirus and other existing reactive technologies can't stop the 300,000 pieces of malware appearing every 24 hours, meaning the traditional model is failing. When it comes to defending against malware, both known and unknown, the best defense is to be proactive and layer up defenses.
Technologies such as privilege management and application control, along with regular patching and adopting standard configurations, are named by SANS and the Council on Cyber Security among others, as the most effective 'quick wins' based on real-life attacks. Layering on defenses such as Sandboxing also help safeguard data from internet threats by seamlessly providing a secure way to view unknown websites and content.
To learn more about how Defendpoint can protect you against advanced threats like Regin now, visit www.avecto.com/defendpoint or contact our offices in the UK, US and Australia.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.