Contributor:
James.Maude
November 24th, 2014

Restricting Regin’s Reign

We’re all used to hearing about malware threats, with new variants of existing malware families appearing on a seemingly daily basis. What is far less common though is a totally new threat appearing, especially one that has apparently been operating unchallenged since 2008. Research published by Symantec describes just this; a new “ground breaking and almost peerless” malware threat known as Regin.

Regin is a highly sophisticated piece of malware that is built for long term data gathering and has been implicated in attacks against government organizations and the private sector. The malware is multi-staged and comprises of a number of advanced modules which allow it to be customized to match a particular target. This modular approach has proven successful before with APT’s such as Careto and Flame, however Regin really raises the bar with advanced anti-forensics and stealth features. Modules that target specific telecoms software and IIS web servers demonstrate a highly specialist knowledge by the malware developers.

The malware infects the machine in six stages

  • Stage 0 – Writes registry keys and executes next stage
  • Stage 1 – Uses admin rights to load driver
  • Stage 2 – Uses admin rights to load driver
  • Stage 3 – Uses admin rights to load modules and write to HKLM registry key
  • Stage 4 – Uses admin rights to load kernel drivers and encrypted containers
  • Stage 5 – Uses files now embedded in the OS to begin stealing data

So how do you safeguard against such an advanced threat that has escaped detection for so long?

It’s time to get proactive

The answer is to be proactive about your IT security, not reactive. Antivirus solutions will protect you once the threat is discovered and becomes known, but what happens when Regin evolves? And what about the risk that has been facing your business for the last 6 years?

With a reactive approach, businesses are playing a never-ending game of cat and mouse.

Why not put solid measures in place to prevent it becoming a threat in the first place? The reality is that by being proactive now and making your security posture futureproof, is the only way to stop advanced threats like Regin taking hold.

This is where proactive technologies such as Defendpoint’s Privilege Management module come in to play. It’s a fact that privilege management alone would prevent most of the stages of Regin, just as it would have prevented 10 of the 12 steps involved in the Home Depot breach.

This malware’s stealth and sophistication is reliant on exploiting admin privileges to install kernel drivers and setup system services. This allows the malware to embed itself deep within the OS and steal data. If we remove the access to an admin account the malware will be blocked at Stage 1 preventing it from loading in the advanced modules and gaining persistence.

As Regin potentially came from a spoofed website or installed through a browser exploit, we can also leverage Defendpoint’s advanced Sandboxing and Application Control modules to further reduce the attack surface. Sandboxing can be used to contain unknown web content in a secure container, this prevents the Stage 0 dropper gaining any persistence on the system. In the event that the browser is compromised, file and registry changes are contained within the secure sandbox and isolated from the user’s private data. Application control can whitelist trusted applications and prevent malicious downloads from executing, this prevents the user being tricked into running an executable.

Antivirus and other existing reactive technologies can’t stop the 300,000 pieces of malware appearing every 24 hours, meaning the traditional model is failing. When it comes to defending against malware, both known and unknown, the best defense is to be proactive and layer up defenses.

Technologies such as privilege management and application control, along with regular patching and adopting standard configurations, are named by SANS and the Council on Cyber Security among others, as the most effective ‘quick wins’ based on real-life attacks. Layering on defenses such as Sandboxing also help safeguard data from internet threats by seamlessly providing a secure way to view unknown websites and content.

To learn more about how Defendpoint can protect you against advanced threats like Regin now, visit www.avecto.com/defendpoint or contact our offices in the UK, US and Australia.

More from the Blog

Related technology and security insights

  • 13
    May
  • Story related

    WannaCry Ransomware goes global

    On Friday, a cyber attack on an unprecedented scale struck a wide range of organizations in over 99 countries across the globe. The ransomware attack, known as WanaCry or WanaCrypt0r shut down IT systems in NHS hospitals and GP surgeries ...
  • 19
    May
  • WannaCry One Week On

    It’s been a busy week in the security world. On Friday 12th May 2017 the ...