Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Detail Regin Attack Platform Modules

Researchers at Kaspersky Lab released details today of two modules used by the notorious Regin malware platform first exposed last year.

Researchers at Kaspersky Lab released details today of two modules used by the notorious Regin malware platform first exposed last year.

Publicly identified separately in November by security researchers at Kaspersky Lab and Symantec, Regin has been linked to cyber-espionage campaigns going back to at least 2008. In addition to stealing information from targets such as banks and government agencies, the malware was also used to target telecom operators and to penetrate and monitor GSM (Global System for Mobile Communications) networks.

According to Kaspersky Lab, two modules named ‘hopscotch’ and ‘legspin’ were designed as standalone tools that seem to predate the Regin platform by several years.

“Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” Kaspersky Lab researchers Costin Raiu and Igor Soumenkov explained in a joint blog post. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.”

For example, the Legspin module is believed to go back to 2003 and possibly 2002. The module was developed as a standalone command line utility for complete administration, the researchers wrote. When run remotely, it operates a backdoor and includes full console support. It also features colored output when run locally, and can distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

“Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands,” the researchers explained. “The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.”

According to Kaspersky Lab, the Legspin module doesn’t have a built-in command and control mechanism, and instead uses the Regin platform to redirect the console input/output to/from the operators.

Meanwhile, the Hopscotch module was designed as an interactive tool for lateral movement. It does not contain any exploits; instead it relies on previously stolen credentials to authenticate itself at the remote machine using standard APIs, the researchers wrote.

Advertisement. Scroll to continue reading.

“The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes,” they continued. “One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption. Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.”

“Although more details about Regin are becoming available, there is still a lot that remains unknown,” the researchers wrote. “One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.