Rule to detect Regin's Hopscotch module

Hunt Hypothesis

The Hopscotch module of Regin is used to establish covert communication channels, which may indicate long-term persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats and mitigate data loss risks.

YARA Rule

rule apt_regin_hopscotch 
{

    meta:
        copyright = "Kaspersky Lab"
        description = "Rule to detect Regin's Hopscotch module"
        version = "1.0"
        last_modified = "2015-01-22"
        reference = "https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/"
        md5 = "6c34031d7a5fc2b091b623981a8ae61c"

    strings:
        $mz="MZ"
        $a1="AuthenticateNetUseIpc"
        $a2="Failed to authenticate to"
        $a3="Failed to disconnect from"
        $a4="%S\\ipc$" wide
        $a5="Not deleting..."
        $a6="CopyServiceToRemoteMachine"
        $a7="DH Exchange failed"
        $a8="ConnectToNamedPipes"
  
    condition:
        ($mz at 0) and all of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/
• Source Rule

False Positive Guidance

• Scenario: Scheduled system maintenance using task scheduler
  Description: A legitimate scheduled task runs the Hopscotch module as part of a system maintenance script.
  Filter/Exclusion: Check for task scheduler or schtasks.exe in the process tree or command line arguments.

• Scenario: Admin using PowerShell to manage network interfaces
  Description: An administrator uses PowerShell to configure network interfaces, which may trigger the Hopscotch module due to similar command-line patterns.
  Filter/Exclusion: Filter by powershell.exe with command-line arguments containing Get-NetAdapter or Set-NetAdapter.

• Scenario: Log collection via LogParser or Windows Event Collector
  Description: A legitimate log collection tool like LogParser or WEVTUTIL may execute scripts that resemble Hopscotch module behavior.
  Filter/Exclusion: Exclude processes associated with LogParser.exe, wevtutil.exe, or eventvwr.exe.

• Scenario: Software update via Windows Update or WSUS
  Description: A Windows Update or WSUS client may trigger the rule due to similar script execution patterns.
  Filter/Exclusion: Exclude processes related to wuauserv, svchost.exe (with wuauserv as the service name), or WindowsUpdate.exe.

• Scenario: Backup job using Veeam or Acronis
  Description: A backup tool like Veeam or Acronis may execute scripts that match the Hopscotch module’s behavior.
  Filter/Exclusion: Exclude processes associated with VeeamBackup.exe, Acronis.exe, or any known backup tool executables.