This post was authored by Alex Chiu with contributions from Joel Esler.

Advanced persistent threats are a problem that many companies and organizations of all sizes face. In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed.  The threat actors behind ‘Regin’ appear to be targeting organizations in the Financial, Government, and Telecommunications verticals as well as targeting research institutions in the Education vertical.  Talos is aware of these reports and has responded to the issue in order to ensure our customers are protected.
The ‘Regin’ malware is highly sophisticated and has a multi-stage architecture where each successive stage is first decrypted then executed in sequence.  Once the malware has fully installed itself on the target system, it will contact a command-and-control server and exfiltrate user data, such as keystrokes and screenshots.

Talos is providing coverage for ‘Regin’ with detection rules for Snort and ClamAV being released.  ClamAV and AMP customers are also protected with coverage for the malware having been published since Early 2013.  The IP addresses known to be associated with ‘Regin’ command-and-control have also been blocklisted.

Known Command-and-Control IP Addresses
61.67.114.73
202.71.144.113
203.199.89.80
194.183.237.145

Snort Rules: 32621-32624
ClamAV Signature Parent Name: Win.Trojan.Regin

Protecting Users Against These Threats

coveragetable


Advanced Malware Protection (AMP) is ideally suited to detect the sophisticated malware used in this campaign.
CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.