Stealth espionage malware has been used to target government agencies, businesses and research institutes, as well as a variety of private individuals and small businesses, according to new research released by information security vendors F-Secure, Kaspersky Lab and Symantec.

The researchers have declined to speculate about what nation is behind the attacks, and none of the security firms' separate reports reveal precisely which businesses or organizations have been targeted. But Symantec says that the greatest number of related infections have been found in Russia and Saudi Arabia.

While the malware family used in the attacks - known as both Regin and Regis - was first discovered in the wild in 2008, and may even date to 2003, multiple information security researchers are warning that more advanced versions of the malware have been spotted in long-running attack campaigns.

Since 2013, security experts say the malware has been getting makeovers that make it more difficult to detect, because it now uses an expanding array of modules that provide attackers with a wide variety of targeted capabilities, including remote access Trojan-like features, such as keystroke logging and capturing screenshots; a Microsoft IIS Web traffic monitor; and a GSM network base station sniffer. Security vendors named the malware for its ability to load its attack modules in the registry of an infected PC.

"We first encountered Regin nearly six years ago in early 2009, when we found it hiding on a Windows server in a customer environment in Northern Europe," says Antti Tikkanen, director of security response at Finnish anti-virus firm F-Secure. The rootkit, however, was crashing the Windows system it had infected, triggering a blue screen of death - and leading researchers to identify the malware as the source of the crash.

Since then, however, the malware's sophistication has increased significantly, Tikkanen says. Today, based on its complexity, "we would place Regin in the same category of highly sophisticated espionage campaigns together with the likes of Stuxnet, Flame and Turla/Snake," he says.

Anti-virus vendor Kaspersky Lab, which has recovered samples of Regin that appear to date to 2003, likewise describes recent versions of the malware as "one of the most sophisticated attack platforms we have ever analyzed," citing its GSM [Global System for Mobile communications] network monitoring capabilities.

Tough To Spot

Over time, Regin's developers have continued to make the malware more difficult to detect. "Regin's developers put considerable effort into making it highly inconspicuous," information security researchers at Symantec say in a blog post. Notably, the malware can covertly communicate with attackers' command-and-control servers using a number of different techniques, including "embedding commands in HTTP cookies," using custom TCP or UDP protocols, and using the ICMP/ping networking protocol, which is normally used by devices to relay error messages. The malware's developers have also imbued it with a custom-built virtual file system that's encrypted, as well as the ability to use an obscure variant of the RC5 symmetric-key block cipher, all of which makes it difficult to understand the inner workings of the malware and related attack campaigns.

Once Regin infects a system, attackers can customize their attack by pushing a variety of add-on modules to the system, including the aforementioned RAT-like capabilities, which include seizing control of the PC's mouse and point-and-click capabilities, monitoring network traffic and stealing passwords. The use of such modules has also been seen before. "This modular approach has been seen in other sophisticated malware families such as Flamer and Weevil - The Mask - while the multi-stage loading architecture is similar to that seen in the Duqu/Stuxnet family of threats," Symantec says.