Adversaries may be using a kernel driver associated with the Regin APT to maintain persistence and evade detection within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that leverage kernel-level malware for long-term access and stealth.
YARA Rule
rule Regin_APT_KernelDriver_Generic_B
{
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "ffb0b9b5b610191051a7bdf0806e1e47"
hash2 = "bfbe8c3ee78750c3a520480700e440f8"
hash3 = "b29ca4f22ae7b7b25f79c1d4a421139d"
hash4 = "06665b96e293b23acc80451abb413e50"
hash5 = "2c8b9d2885543d7ade3cae98225e263b"
hash6 = "4b6b86c7fec1c574706cecedf44abded"
hash7 = "187044596bc1328efa0ed636d8aa4a5c"
hash8 = "d240f06e98c8d3e647cbf4d442d79475"
hash9 = "6662c390b2bbbd291ec7987388fc75d7"
hash10 = "1c024e599ac055312a4ab75b3950040a"
hash11 = "ba7bb65634ce1e30c1e5415be3d1db1d"
hash12 = "b505d65721bb2453d5039a389113b566"
hash13 = "b269894f434657db2b15949641a67532"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s1 = { 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e }
$s2 = "H.data" fullword ascii nocase
$s3 = "INIT" fullword ascii
$s4 = "ntoskrnl.exe" fullword ascii
$v1 = "\\system32" fullword ascii
$v2 = "\\SystemRoot" fullword ascii
$v3 = "KeServiceDescriptorTable" fullword ascii
$w1 = "\\system32" fullword ascii
$w2 = "\\SystemRoot" fullword ascii
$w3 = "LRich6" fullword ascii
$x1 = "_snprintf" fullword ascii
$x2 = "_except_handler3" fullword ascii
$y1 = "mbstowcs" fullword ascii
$y2 = "wcstombs" fullword ascii
$y3 = "KeGetCurrentIrql" fullword ascii
$z1 = "wcscpy" fullword ascii
$z2 = "ZwCreateFile" fullword ascii
$z3 = "ZwQueryInformationFile" fullword ascii
$z4 = "wcslen" fullword ascii
$z5 = "atoi" fullword ascii
condition:
$m0 at 0 and all of ($s*) and ( all of ($v*) or all of ($w*) or all of ($x*) or all of ($y*) or all of ($z*) ) and filesize < 20KB
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a Windows Update or disk cleanup, may trigger the rule due to similar process or file patterns.
Filter/Exclusion: Exclude processes related to svchost.exe, taskhost.exe, or specific update services like wuauserv or TrustedInstaller.
Scenario: Antivirus or Endpoint Protection Scan
Description: Antivirus tools like Kaspersky, Bitdefender, or Malwarebytes may perform deep scans that mimic malicious activity, triggering the rule.
Filter/Exclusion: Exclude processes with parent or child processes named kavsvc.exe, bdagent.exe, or mbam.exe.
Scenario: Software Deployment via SCCM or Microsoft Endpoint Manager
Description: A legitimate software deployment using System Center Configuration Manager (SCCM) or Microsoft Endpoint Manager may involve kernel-level operations that match the rule’s criteria.
Filter/Exclusion: Exclude processes with parent or child processes related to ccmexec.exe, mpssvc.exe, or Microsoft Intune.
Scenario: Virtualization or Hypervisor Management Tools
Description: Tools like VMware Tools, Hyper-V Integration Services, or Microsoft Hyper-V may interact with kernel drivers and trigger the rule.
Filter/Exclusion: Exclude processes with parent or child processes named vmtoolsd.exe, vm3dsvc.exe, or hypervisor.
Scenario: System File Integrity Check (SFIC) or DISM Repair
Description: System file checks using DISM or sfc /scannow may involve kernel driver interactions that resemble malicious behavior.
Filter/Exclusion: Exclude processes with parent or child processes named sfcos.exe,