With high profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans writing code, some mistakes are inevitable. Among the most interesting things we observed in the Regin malware operation were the forgotten codenames for some of its modules.
These are:
- Hopscotch
- Legspin
- Willischeck
- U_STARBUCKS
We decided to analyze two of these modules in more detail – Hopscotch and Legspin.
Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators. What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.
The Hopscotch module
MD5 | 6c34031d7a5fc2b091b623981a8ae61c |
Size | 36864 bytes |
Type | Win32 EXE |
Compiled | 2006.03.22 19:09:29 (GMT) |
This module has another binary inside, stored as resource 103:
MD5 | 42eaf2ab25c9ead201f25ecbdc96fb60 |
Size | 18432 bytes |
Type | Win32 EXE |
Compiled | 2006.03.22 19:09:29 (GMT) |
This executable module was designed as a standalone interactive tool for lateral movement. It does not contain any exploits but instead relies on previously acquired credentials to authenticate itself at the remote machine using standard APIs.
The module receives the name of the target machine and an optional remote file name from the standard input (operator). The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.
Here’s an example of “Hopscotch” running inside a virtual machine:
Authentication Mechanism (SU or NETUSE) [S]/N: |
Continue? [n]: |
A File of the same name was already present on Remote Machine – Not deleting… |
The module can use two routines to authenticate itself at the target machine: either connecting to the standard share named “IPC$” (method called “NET USE”) or logging on as a local user (“SU”, or “switch user”) who has enough rights to proceed with further actions.
It then extracts a payload executable from its resources and writes it to a location on the target machine. The default location for the payload is: \\%target%\ADMIN$\SYSTEM32\SVCSTAT.EXE. Once successful, it connects to the remote machine’s service manager and creates a new service called “Service Control Manager” to launch the payload. The service is immediately started and then stopped and deleted after one second of execution.
The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes. One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption.
\\%target%\pipe\{44fdg23a-1522-6f9e-d05d-1aaf0176138a}
Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.
The SVCSTAT.EXE payload module launches its copy in the process dllhost.exe and then prepares the corresponding named pipes on the target machine and waits for incoming data. Once the original module connects to the pipe, it sets up the encryption of the pipe communication and waits for the incoming shellcode.
The executable is injected in a new process of dllhost.exe or svchost.exe and executed, with its input and output handles redirected to the remote plugin that initiated the attack. This allows the operator to control the injected module and interact with it.
The Legspin module
MD5 | 29105f46e4d33f66fee346cfd099d1cc |
Size | 67584 bytes |
Type | Win32 EXE |
Compiled | 2003.03.17 08:33:50 (GMT) |
This module was also developed as a standalone command line utility for computer administration. When run remotely it becomes a powerful backdoor. It is worth noting that the program has full console support and features colored output when run locally. It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.
“Legspin” output in a standard console window with color highlighting
In addition to the compilation timestamp found in the PE headers, there are two references that point to 2003 as its true year of compilation. The program prints out two version labels:
- 2002-09-A, referenced as “lib version”
- 2003-03-A
In addition the program uses legacy API functions, like “NetBIOS” that was introduced in Windows 2000 and deprecated in Windows Vista.
Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands. The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.
The Legspin module we recovered doesn’t have a built-in C&C mechanism. Instead, it relies on the Regin platform to redirect the console input/output to/from the operators.
Conclusions
Unlike most other Regin modules, Legspin and Hopscotch appear to be stand-alone tools developed much earlier. The Legspin backdoor in particular dates back to 2003 and perhaps even 2002. It’s worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions.
This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.
Although more details about Regin are becoming available, there is still a lot that remains unknown. One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.
An analysis of Regin’s Hopscotch and Legspin