Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Detail Regin Attack Platform Modules

Researchers at Kaspersky Lab released details today of two modules used by the notorious Regin malware platform first exposed last year.

Researchers at Kaspersky Lab released details today of two modules used by the notorious Regin malware platform first exposed last year.

Publicly identified separately in November by security researchers at Kaspersky Lab and Symantec, Regin has been linked to cyber-espionage campaigns going back to at least 2008. In addition to stealing information from targets such as banks and government agencies, the malware was also used to target telecom operators and to penetrate and monitor GSM (Global System for Mobile Communications) networks.

According to Kaspersky Lab, two modules named ‘hopscotch’ and ‘legspin’ were designed as standalone tools that seem to predate the Regin platform by several years.

“Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators,” Kaspersky Lab researchers Costin Raiu and Igor Soumenkov explained in a joint blog post. “What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.”

For example, the Legspin module is believed to go back to 2003 and possibly 2002. The module was developed as a standalone command line utility for complete administration, the researchers wrote. When run remotely, it operates a backdoor and includes full console support. It also features colored output when run locally, and can distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

“Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands,” the researchers explained. “The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.”

According to Kaspersky Lab, the Legspin module doesn’t have a built-in command and control mechanism, and instead uses the Regin platform to redirect the console input/output to/from the operators.

Advertisement. Scroll to continue reading.

Meanwhile, the Hopscotch module was designed as an interactive tool for lateral movement. It does not contain any exploits; instead it relies on previously stolen credentials to authenticate itself at the remote machine using standard APIs, the researchers wrote.

“The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes,” they continued. “One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption. Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.”

“Although more details about Regin are becoming available, there is still a lot that remains unknown,” the researchers wrote. “One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...