Neo Regeorg

Neo-reGeorg is a type of malware that was first observed in use by the Sandworm APT group in June 2022. The initial attack vector remains unknown, but researchers noted that the group's activity began with the deployment of the Neo-REGEORG webshell on a server exposed to the public internet. This harmful program, designed to exploit and damage computer systems, can infiltrate through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The hackers used reGeorg or Neo-reGeorg to set up a proxy to tunnel network traffic after compromising a victim website. This allowed them to maintain access to the compromised systems and further their illicit activities undetected. Furthermore, they utilized ProxyChains to run Nmap within the network, an action that enables scanning and exploration of the victim's network infrastructure to identify potential vulnerabilities and additional targets. At the time of initial access, Russian hackers deployed a web shell known as neo-regeorg on an internet-facing server. This activity aligns with the group's previous behavior of scanning and exploiting internet-facing servers for initial access. Following this, they deployed GoGetter, a custom TCP tunneling tool, for command and control. This tool allows the attackers to maintain a persistent presence within the compromised system, execute commands remotely, and exfiltrate data, demonstrating a sophisticated level of cyber espionage capability.