Adversaries may be using a kernel driver associated with the Regin APT to maintain persistence and evade detection within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that leverage kernel-level persistence techniques.
YARA Rule
rule Regin_APT_KernelDriver_Generic_A
{
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "187044596bc1328efa0ed636d8aa4a5c"
hash2 = "06665b96e293b23acc80451abb413e50"
hash3 = "d240f06e98c8d3e647cbf4d442d79475"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$m1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s0 = "atapi.sys" fullword wide
$s1 = "disk.sys" fullword wide
$s3 = "h.data" fullword ascii
$s4 = "\\system32" fullword ascii
$s5 = "\\SystemRoot" fullword ascii
$s6 = "system" fullword ascii
$s7 = "temp" fullword ascii
$s8 = "windows" fullword ascii
$x1 = "LRich6" fullword ascii
$x2 = "KeServiceDescriptorTable" fullword ascii
condition:
$m0 at 0 and $m1 and all of ($s*) and 1 of ($x*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as disk cleanup or system update, may trigger the rule due to similar file or process behavior.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks scheduled via the Task Scheduler with known benign command lines.
Scenario: Windows Update or Patching Process
Description: Windows Update or patching mechanisms may involve similar file operations or process spawning as the Regin APT driver.
Filter/Exclusion: Exclude processes initiated by wuauclt.exe or svchost.exe during known update windows.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may perform deep scans that mimic suspicious behavior.
Filter/Exclusion: Exclude processes with parent process mpsvc.exe (Malwarebytes), kmantivirus.exe (Kaspersky), or mbam.exe (Malwarebytes).
Scenario: System File Checker (SFC) or DISM Scan
Description: System File Checker or DISM operations can cause temporary file system changes that may trigger the rule.
Filter/Exclusion: Exclude processes with parent process svchost.exe and command line containing sfc /scannow or dism.
Scenario: Legitimate Kernel-Mode Driver Installation
Description: A legitimate kernel-mode driver, such as a hardware vendor’s driver (e.g., Intel, AMD, or NVIDIA), may be installed via inf files and trigger the rule.
Filter/Exclusion: Exclude processes with parent process setupapi.exe or devcon.exe, and check the file path against known vendor-signed drivers.