Regeorg

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to install their SysUpdate (also known as Soldier) modular backdoor, which uses the specified IP address as its Command and Control (C&C) server. In addition, Mandiant observed instances where UNC3542 used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory. Furthermore, this threat actor was also found to have placed a REGEORG web shell on a DMZ web server as an alternate access point. Regeorg has been identified using basic and publicly available tools like remote desktop protocol (RDP) for lateral movement and the reGeorg Web shell for targeting an organization's files. The cybersecurity firm Unit42 discovered three web shells used in these attacks: reGeorg, China Chopper, and AspxSpy. Incident response investigations conducted by ANSSI confirmed the use of Mimikatz and reGeorg tools by APT28, with Mimikatz being a popular collector of sensitive information and reGeorg serving as a tunnel creation tool. This group is known to follow up with commodity web shells, tunneling tools, attack frameworks, and living-off-the-land binaries. The threat actor leveraged several web shells for initial access to a compromised web server, including reGeorg, China Chopper, and the AspxSpy web shell. An interesting aspect of UNC3524’s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28. This suggests a possible connection or shared tactics between these groups. With the continuous evolution of Regeorg's tactics and its use of publicly available tools, it poses a significant threat to organizations and warrants continuous monitoring and robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
2
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
UNC3524
1
UNC3524, also known as Cranefly, is a newly identified threat actor suspected of espionage activities. This group primarily targets corporate emails, focusing on employees involved in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 has demonstrated serious
LuckyMouse
1
LuckyMouse, also known as Budworm, Emissary Panda, and APT27, is a threat actor that has been involved in several high-profile cyber-espionage activities. The group has demonstrated its ability to develop and deploy advanced cyber tools, targeting various operating systems including MacOS, Linux, an
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Web Shell
Webshell
Lateral Move...
Proxy
Malware
Kubernetes
Mandiant
Curl
Github
Exploit
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
China ChopperUnspecified
2
China Chopper is a notorious malware that has been widely used by various Advanced Persistent Threat (APT) groups, notably BRONZE UNION. This web shell was found embedded in multiple web shells on SharePoint servers, such as stylecs.aspx, test.aspx, and stylecss.aspx. It is believed to be associated
ASPXSpyUnspecified
2
ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
SysUpdateUnspecified
1
SysUpdate is a malicious software variant that has been exclusively used by Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix. In December 2020, a sample of the SysUpdate malware variant was found, with its payload being a new version of SysUpdate.
QUIETEXITUnspecified
1
QUIETEXIT is a novel malware deployed by threat group UNC3524, primarily used for long-haul remote access. It operates by being installed on opaque network appliances within the victim environment, such as SAN arrays, load balancers, and wireless access point controllers, effectively creating backdo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Regeorg Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 months ago
Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania
CISA
5 months ago
Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways | CISA
CERT-EU
10 months ago
Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
Securityaffairs
9 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU
a year ago
Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
Securityaffairs
10 months ago
Is Gelsemium APT behind an attack in Southeast Asian Govt?
MITRE
7 months ago
UNC3524: Eye Spy on Your Email