The Regin Trojan is alive and well and thriving in the wild despite being uncovered by Symantec last year.
Described as one of the most advanced spying tools ever seen, Regin has been around since at least 2008 and has been used against a range of targets including government bodies, CNI, businesses, researchers and individuals.
There has been some speculation that the Regin malware is linked to the NSA after documents released by Edward Snowden included code that was later linked to Regin by Kaspersky Lab.
Symantec has found 49 new modules bringing the total number identified to 75, a three-fold increase. But the company is keen to stress that this is an incomplete list and the true number of modules is not known.
Regin is a five-stage threat, with each stage loading and decrypting the next. Controllers are able to customise each attack according to the target by adding modules for networking, file handling and delivering specialist payloads.
Symantec found Regin is well supported with a command and control infrastructure which relays commands through infected computers which also can act as proxies for other infected computers.
According to Symantec, all C&C communications use strong encryption and follow a two-stage protocol, where the attackers contact the infected computer on one channel and instruct it to open communications on another.
Regin's P2P communications capability sees each Regin infection assigned a virtual IP address, forming a virtual private network (VPN) on top of the physical network of the infected computer. This P2P capability allows the attackers to maintain deep access to critical assets within compromised organisations and mask core infrastructure belonging to the group.