SYMBOLCOMMON_NAMEaka. SYNONYMS
win.regin (Back to overview)

Regin


Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.

References
2021-02-05EpicTurlaJuan Andrés Guerrero-Saade
@online{guerrerosaade:20210205:voltron:953cec2, author = {Juan Andrés Guerrero-Saade}, title = {{Voltron STA The curious case of 0xFancyFilter}}, date = {2021-02-05}, organization = {EpicTurla}, url = {https://www.epicturla.com/previous-works/hitb2020-voltron-sta}, language = {English}, urldate = {2021-02-06} } Voltron STA The curious case of 0xFancyFilter
fancyfilter MISTYVEAL Regin
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2016-08-08SymantecA L Johnson
@online{johnson:20160808:strider:49d9d44, author = {A L Johnson}, title = {{Strider: Cyberespionage group turns eye of Sauron on targets}}, date = {2016-08-08}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Strider: Cyberespionage group turns eye of Sauron on targets
Flame Regin Remsec ProjectSauron
2015-08-27SymantecSymantec Security Response
@techreport{response:20150827:regin:5a5257b, author = {Symantec Security Response}, title = {{Regin: Top-tier espionage tool enables stealthy surveillance}}, date = {2015-08-27}, institution = {Symantec}, url = {https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf}, language = {English}, urldate = {2020-01-20} } Regin: Top-tier espionage tool enables stealthy surveillance
Regin
2014-11-25Kaspersky LabsBrain Donohue
@online{donohue:20141125:regin:15d544f, author = {Brain Donohue}, title = {{Regin APT Attacks Among the Most Sophisticated Ever Analyzed}}, date = {2014-11-25}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/}, language = {English}, urldate = {2019-12-17} } Regin APT Attacks Among the Most Sophisticated Ever Analyzed
Regin
2014-11-24KasperskyKaspersky Lab
@techreport{lab:20141124:regin:b19cdc4, author = {Kaspersky Lab}, title = {{The Regin Platform Nation-State Ownage Of GSM Networks}}, date = {2014-11-24}, institution = {Kaspersky}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf}, language = {English}, urldate = {2022-03-22} } The Regin Platform Nation-State Ownage Of GSM Networks
Regin
2014-11-24KasperskyGReAT
@online{great:20141124:regin:281a556, author = {GReAT}, title = {{Regin: nation-state ownage of GSM networks}}, date = {2014-11-24}, organization = {Kaspersky}, url = {https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/}, language = {English}, urldate = {2022-03-22} } Regin: nation-state ownage of GSM networks
Regin
Yara Rules
[TLP:WHITE] win_regin_auto (20221125 | Detects win.regin.)
rule win_regin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.regin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49 8363f000 48 8d0504230000 49 8943d8 }
            // n = 6, score = 100
            //   49                   | dec                 ecx
            //   8363f000             | and                 dword ptr [ebx - 0x10], 0
            //   48                   | dec                 eax
            //   8d0504230000         | lea                 eax, [0x2304]
            //   49                   | dec                 ecx
            //   8943d8               | mov                 dword ptr [ebx - 0x28], eax

        $sequence_1 = { 48 89442438 b800210000 c7442430204e0000 89442428 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   b800210000           | mov                 eax, 0x2100
            //   c7442430204e0000     | mov                 dword ptr [esp + 0x30], 0x4e20
            //   89442428             | mov                 dword ptr [esp + 0x28], eax

        $sequence_2 = { 85c0 740c 8b05???????? 39442460 7405 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   740c                 | je                  0xe
            //   8b05????????         |                     
            //   39442460             | cmp                 dword ptr [esp + 0x60], eax
            //   7405                 | je                  7

        $sequence_3 = { c1e802 41 ffc0 48 8d4c2470 41 }
            // n = 6, score = 100
            //   c1e802               | shr                 eax, 2
            //   41                   | inc                 ecx
            //   ffc0                 | inc                 eax
            //   48                   | dec                 eax
            //   8d4c2470             | lea                 ecx, [esp + 0x70]
            //   41                   | inc                 ecx

        $sequence_4 = { 8d05e7060000 4c 8bce 8bd5 }
            // n = 4, score = 100
            //   8d05e7060000         | lea                 eax, [0x6e7]
            //   4c                   | dec                 esp
            //   8bce                 | mov                 ecx, esi
            //   8bd5                 | mov                 edx, ebp

        $sequence_5 = { 56 57 41 54 48 83ec38 33db }
            // n = 7, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   41                   | inc                 ecx
            //   54                   | push                esp
            //   48                   | dec                 eax
            //   83ec38               | sub                 esp, 0x38
            //   33db                 | xor                 ebx, ebx

        $sequence_6 = { 33c0 48 83c428 c3 48 83ec28 33c9 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   48                   | dec                 eax
            //   83c428               | add                 esp, 0x28
            //   c3                   | ret                 
            //   48                   | dec                 eax
            //   83ec28               | sub                 esp, 0x28
            //   33c9                 | xor                 ecx, ecx

        $sequence_7 = { 0f45df 8bc3 48 8b5c2448 }
            // n = 4, score = 100
            //   0f45df               | cmovne              ebx, edi
            //   8bc3                 | mov                 eax, ebx
            //   48                   | dec                 eax
            //   8b5c2448             | mov                 ebx, dword ptr [esp + 0x48]

        $sequence_8 = { 84c0 44 8d7304 0f45f8 8d4302 44 84c0 }
            // n = 7, score = 100
            //   84c0                 | test                al, al
            //   44                   | inc                 esp
            //   8d7304               | lea                 esi, [ebx + 4]
            //   0f45f8               | cmovne              edi, eax
            //   8d4302               | lea                 eax, [ebx + 2]
            //   44                   | inc                 esp
            //   84c0                 | test                al, al

        $sequence_9 = { eb05 bb01000000 33d2 41 }
            // n = 4, score = 100
            //   eb05                 | jmp                 7
            //   bb01000000           | mov                 ebx, 1
            //   33d2                 | xor                 edx, edx
            //   41                   | inc                 ecx

    condition:
        7 of them and filesize < 49152
}
Download all Yara Rules