According to the document, the Five Eyes intelligence partners can create and share plug-ins for the platform. That would explain the very large number of Regin modules in existence.
In January, German news magazine Der Spiegel released a keylogger program dubbed QWERTY that it said was likely part of WARRIORPRIDE and was included in the trove of files leaked by Snowden. Researchers from antivirus firm Kaspersky Lab later concluded that QWERTY was identical to the Regin 50251 plugin and even had code referencing a different Regin module.
Despite the attack platform being exposed, it's unlikely that the group behind it will cease operations, the Symantec researchers said. "Its track record and available resources mean it is probable that the group will re-equip itself with a new threat or upgrade Regin in a bid to evade detection. The latter is the most likely course of action, given the time it would take to develop an equally capable malware framework from scratch."
Sign up for CIO Asia eNewsletters.