Regeorg

Threat Actor updated 4 months ago (2024-05-21T22:17:30.936Z)

Download STIX

Preview STIX

Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to install their SysUpdate (also known as Soldier) modular backdoor, which uses the specified IP address as its Command and Control (C&C) server. In addition, Mandiant observed instances where UNC3542 used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory. Furthermore, this threat actor was also found to have placed a REGEORG web shell on a DMZ web server as an alternate access point. Regeorg has been identified using basic and publicly available tools like remote desktop protocol (RDP) for lateral movement and the reGeorg Web shell for targeting an organization's files. The cybersecurity firm Unit42 discovered three web shells used in these attacks: reGeorg, China Chopper, and AspxSpy. Incident response investigations conducted by ANSSI confirmed the use of Mimikatz and reGeorg tools by APT28, with Mimikatz being a popular collector of sensitive information and reGeorg serving as a tunnel creation tool. This group is known to follow up with commodity web shells, tunneling tools, attack frameworks, and living-off-the-land binaries. The threat actor leveraged several web shells for initial access to a compromised web server, including reGeorg, China Chopper, and the AspxSpy web shell. An interesting aspect of UNC3524’s use of REGEORG was that it matched identically with the version publicly reported by the NSA as used by APT28. This suggests a possible connection or shared tactics between these groups. With the continuous evolution of Regeorg's tactics and its use of publicly available tools, it poses a significant threat to organizations and warrants continuous monitoring and robust cybersecurity measures.

Description last updated: 2024-05-21T22:16:55.701Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
APT28	2	APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Webshell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
China Chopper	Unspecified	2	China Chopper is a well-known malware that has been utilized extensively by various cyber threat actors, including the notorious BRONZE UNION group. This web shell, designed to provide remote access and control over compromised web servers, was found embedded in multiple SharePoint server webshells
ASPXSpy	Unspecified	2	ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable

Source Document References

Information about the Regeorg Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	4 months ago	Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania
CISA	6 months ago	Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways \| CISA
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
MITRE	2 years ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity
Securityaffairs	10 months ago	ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
MITRE	9 months ago	UNC3524: Eye Spy on Your Email