The hypothesis is that the detected Regin backdoor sample indicates potential adversary persistence and data exfiltration capabilities within the environment. SOC teams should proactively hunt for this behavior to identify and mitigate advanced persistent threats that may have already established a foothold.
YARA Rule
rule Regin_Sample_3
{
meta:
description = "Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
author = "@Malwrsignatures"
date = "27.11.14"
hash = "fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129"
strings:
$hd = { fe ba dc fe }
$s0 = "Service Pack x" fullword wide
$s1 = "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" fullword wide
$s2 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HotFix" fullword wide
$s3 = "mntoskrnl.exe" fullword wide
$s4 = "\\REGISTRY\\Machine\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management" fullword wide
$s5 = "Memory location: 0x%p, size 0x%08x" wide fullword
$s6 = "Service Pack" fullword wide
$s7 = ".sys" fullword wide
$s8 = ".dll" fullword wide
$s10 = "\\REGISTRY\\Machine\\Software\\Microsoft\\Updates" fullword wide
$s11 = "IoGetRelatedDeviceObject" fullword ascii
$s12 = "VMEM.sys" fullword ascii
$s13 = "RtlGetVersion" fullword wide
$s14 = "ntkrnlpa.exe" fullword ascii
condition:
( $hd at 0 ) and all of ($s*) and filesize > 160KB and filesize < 200KB
}This YARA rule can be deployed in the following contexts:
This rule contains 15 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a legitimate script that hashes to the same value as the Regin backdoor sample.
Filter/Exclusion: Check for ProcessName containing powershell.exe and CommandLine containing -File or -Command with known administrative scripts.
Scenario: A Windows Scheduled Task is configured to run a legitimate maintenance script that coincidentally matches the hash of the Regin backdoor.
Filter/Exclusion: Filter events where ProcessName is schtasks.exe or TaskName contains “Maintenance” or “Cleanup”.
Scenario: A Microsoft Endpoint Protection (EPP) update or scan is generating a false positive due to a hash collision with the Regin sample.
Filter/Exclusion: Exclude events where ProcessName is mpcmdrun.exe or msseces.exe and check for EventID related to virus scan updates.
Scenario: A Windows Defender ATP sensor is generating alerts due to a legitimate tool like Sysmon or Windows Security Center that has a hash match.
Filter/Exclusion: Exclude events where ProcessName is MsMpEng.exe, MsSense.exe, or svchost.exe with known security service modules.
Scenario: A remote management tool like PsExec or WMIC is being used to execute a legitimate script that hashes to the Regin sample.
Filter/Exclusion: Filter events where ProcessName is psexec.exe, wmic.exe, or cmd.exe and check for CommandLine containing known remote management commands.