Adversaries may be using a kernel driver malware associated with the Regin APT to maintain persistence and evade detection within the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats and mitigate lateral movement risks.
YARA Rule
rule Regin_APT_KernelDriver_Generic_C
{
meta:
description = "Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2"
author = "@Malwrsignatures - included in APT Scanner THOR"
date = "23.11.14"
hash1 = "e0895336617e0b45b312383814ec6783556d7635"
hash2 = "732298fa025ed48179a3a2555b45be96f7079712"
strings:
$m0 = { 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 }
$s0 = "KeGetCurrentIrql" fullword ascii
$s1 = "5.2.3790.0 (srv03_rtm.030324-2048)" fullword wide
$s2 = "usbclass" fullword wide
$x1 = "PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING" ascii
$x2 = "Universal Serial Bus Class Driver" fullword wide
$x3 = "5.2.3790.0" fullword wide
$y1 = "LSA Shell" fullword wide
$y2 = "0Richw" fullword ascii
condition:
$m0 at 0 and all of ($s*) and ( all of ($x*) or all of ($y*) ) and filesize < 20KB
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may trigger the rule due to the presence of similar file names or behaviors.
Filter/Exclusion: Exclude processes associated with Windows Update (svchost.exe with wuauserv service), or use a filter like process.name != "wuauserv" or process.name != "svchost.exe" with service.name = "wuauserv".
Scenario: Scheduled Maintenance or Disk Cleanup Task
Description: A scheduled task running disk cleanup or system maintenance might be flagged due to similar file or process behavior.
Filter/Exclusion: Exclude tasks associated with cleanmgr.exe or defrag.exe, or use a filter like process.name != "cleanmgr.exe" or process.name != "defrag.exe".
Scenario: Antivirus or Endpoint Protection Scan
Description: A legitimate antivirus or endpoint protection scan may trigger the rule due to the presence of similar process names or behaviors.
Filter/Exclusion: Exclude processes associated with known antivirus tools like mpsvc.exe (Microsoft Defender), avgnt.exe, or bitdefender.exe, using a filter like process.name != "mpsvc.exe" or process.name != "avgnt.exe".
Scenario: Virtualization or VM Management Tools
Description: Virtualization tools like VMware Tools or Hyper-V may trigger the rule due to similar kernel-level activity.
Filter/Exclusion: Exclude processes related to virtualization tools such as vmtoolsd.exe, vmware-vmx.exe, or svchost.exe with vmms service, using a filter like process.name != "vmtoolsd.exe" or service.name = "vmms".
**Scenario: System File