Regeorg

Regeorg is a threat actor known for its malicious activities, primarily involving the use of ReGeorg or Neo-reGeorg to set up a proxy and tunnel network traffic following the compromise of a victim website. This group also employs ProxyChains to run Nmap within the compromised network. In one instance, LuckyMouse operators initiated their attack by dropping the Nbtscan tool in C:\programdata\, followed by the installation of a variant of the ReGeorg webshell. They then issued a GET request using curl and attempted to install their SysUpdate (aka Soldier) modular backdoor that uses the aforementioned IP address as its C&C server. Mandiant, a cybersecurity firm, observed instances where UNC3542, another threat actor, used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory. This alternate access was facilitated by a REGEORG web shell previously placed on a DMZ web server. The threat actors primarily aim for an organization's files and start exploiting them using largely basic and publicly available tools like remote desktop protocol (RDP) for lateral movement, and the reGeorg Web shell. Further investigations have revealed the use of multiple web shells in these attacks, including reGeorg, China Chopper, and AspxSpy. These are all publicly available tools. Incident response investigations conducted by ANSSI confirmed the use of Mimikatz and reGeorg tools by APT28, with the former being a popular collector of sensitive information and the latter a tunnel creation tool. The group can follow up with several commodity web shells, tunneling tools, attack frameworks, and living-off-the-land binaries. This highlights the extensive range of tools and techniques at the disposal of these threat actors, increasing the complexity and severity of their potential impact.