Regeorg

Threat Actor updated 6 hours ago (2024-11-21T11:30:42.563Z)

Download STIX

Preview STIX

Regeorg is a threat actor known for its malicious activities, primarily involving the use of ReGeorg or Neo-reGeorg to set up a proxy and tunnel network traffic following the compromise of a victim website. This group also employs ProxyChains to run Nmap within the compromised network. In one instance, LuckyMouse operators initiated their attack by dropping the Nbtscan tool in C:\programdata\, followed by the installation of a variant of the ReGeorg webshell. They then issued a GET request using curl and attempted to install their SysUpdate (aka Soldier) modular backdoor that uses the aforementioned IP address as its C&C server. Mandiant, a cybersecurity firm, observed instances where UNC3542, another threat actor, used timestomping to alter the Standard Information timestamps of the REGEORG web shell to match other files in the same directory. This alternate access was facilitated by a REGEORG web shell previously placed on a DMZ web server. The threat actors primarily aim for an organization's files and start exploiting them using largely basic and publicly available tools like remote desktop protocol (RDP) for lateral movement, and the reGeorg Web shell. Further investigations have revealed the use of multiple web shells in these attacks, including reGeorg, China Chopper, and AspxSpy. These are all publicly available tools. Incident response investigations conducted by ANSSI confirmed the use of Mimikatz and reGeorg tools by APT28, with the former being a popular collector of sensitive information and the latter a tunnel creation tool. The group can follow up with several commodity web shells, tunneling tools, attack frameworks, and living-off-the-land binaries. This highlights the extensive range of tools and techniques at the disposal of these threat actors, increasing the complexity and severity of their potential impact.

Description last updated: 2024-11-21T10:46:46.070Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT28 is a possible alias for Regeorg. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Proxy

Webshell

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The China Chopper Malware is associated with Regeorg. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fou	Unspecified	2
The ASPXSpy Malware is associated with Regeorg. ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable	Unspecified	2

Source Document References

Information about the Regeorg Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	3 months ago	Russian Military Cyber Actors Target US and Global Critical Infrastructure
DARKReading	6 months ago	Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania
CISA	9 months ago	Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways \| CISA
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
MITRE	2 years ago	Exchange servers under siege from at least 10 APT groups \| WeLiveSecurity
Securityaffairs	a year ago	ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
MITRE	a year ago	UNC3524: Eye Spy on Your Email