SYMBOLCOMMON_NAMEaka. SYNONYMS
win.regin (Back to overview)

Regin


Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.

References
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2016-08-08SymantecA L Johnson
@online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Strider: Cyberespionage group turns eye of Sauron on targets
Flame Regin Remsec ProjectSauron
2015-08-27SymantecSymantec Security Response
@techreport{response:20150827:regin:5a5257b, author = {Symantec Security Response}, title = {{Regin: Top-tier espionage tool enables stealthy surveillance}}, date = {2015-08-27}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf}, language = {English}, urldate = {2020-01-20} } Regin: Top-tier espionage tool enables stealthy surveillance
Regin
2014-11-25Kaspersky LabsBrain Donohue
@online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } Regin APT Attacks Among the Most Sophisticated Ever Analyzed
Regin
Yara Rules
[TLP:WHITE] win_regin_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_regin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897808 4c 8be7 48 8978c0 8978c8 }
            // n = 6, score = 100
            //   897808               | mov                 dword ptr [eax + 8], edi
            //   4c                   | dec                 esp
            //   8be7                 | mov                 esp, edi
            //   48                   | dec                 eax
            //   8978c0               | mov                 dword ptr [eax - 0x40], edi
            //   8978c8               | mov                 dword ptr [eax - 0x38], edi

        $sequence_1 = { 48 8bd9 4d 85c0 7413 49 }
            // n = 6, score = 100
            //   48                   | dec                 eax
            //   8bd9                 | mov                 ebx, ecx
            //   4d                   | dec                 ebp
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   49                   | dec                 ecx

        $sequence_2 = { 8ada 48 397c2438 740e 8b542430 48 }
            // n = 6, score = 100
            //   8ada                 | mov                 bl, dl
            //   48                   | dec                 eax
            //   397c2438             | cmp                 dword ptr [esp + 0x38], edi
            //   740e                 | je                  0x10
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   48                   | dec                 eax

        $sequence_3 = { 48 3bcf 0f84ae000000 48 }
            // n = 4, score = 100
            //   48                   | dec                 eax
            //   3bcf                 | cmp                 ecx, edi
            //   0f84ae000000         | je                  0xb4
            //   48                   | dec                 eax

        $sequence_4 = { c1e802 41 ffc0 48 8d4c2470 41 }
            // n = 6, score = 100
            //   c1e802               | shr                 eax, 2
            //   41                   | inc                 ecx
            //   ffc0                 | inc                 eax
            //   48                   | dec                 eax
            //   8d4c2470             | lea                 ecx, [esp + 0x70]
            //   41                   | inc                 ecx

        $sequence_5 = { 3bfc 741c 8b942480000000 48 }
            // n = 4, score = 100
            //   3bfc                 | cmp                 edi, esp
            //   741c                 | je                  0x1e
            //   8b942480000000       | mov                 edx, dword ptr [esp + 0x80]
            //   48                   | dec                 eax

        $sequence_6 = { 0f8530010000 4c 8d4c2460 8d7b40 44 8bc7 8d530b }
            // n = 7, score = 100
            //   0f8530010000         | jne                 0x136
            //   4c                   | dec                 esp
            //   8d4c2460             | lea                 ecx, [esp + 0x60]
            //   8d7b40               | lea                 edi, [ebx + 0x40]
            //   44                   | inc                 esp
            //   8bc7                 | mov                 eax, edi
            //   8d530b               | lea                 edx, [ebx + 0xb]

        $sequence_7 = { 48 8bd9 4d 85c0 7413 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   8bd9                 | mov                 ebx, ecx
            //   4d                   | dec                 ebp
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15

        $sequence_8 = { 8339ff 0fb6c0 ba01000000 0f45c2 c3 48 8bc4 }
            // n = 7, score = 100
            //   8339ff               | cmp                 dword ptr [ecx], -1
            //   0fb6c0               | movzx               eax, al
            //   ba01000000           | mov                 edx, 1
            //   0f45c2               | cmovne              eax, edx
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   8bc4                 | mov                 eax, esp

        $sequence_9 = { b800100000 ff15???????? 4c 8be0 }
            // n = 4, score = 100
            //   b800100000           | mov                 eax, 0x1000
            //   ff15????????         |                     
            //   4c                   | dec                 esp
            //   8be0                 | mov                 esp, eax

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules