Analysts detail spying tool Regin’s malicious modules

Researchers have published new insight on modules for a sophisticated spying tool, dubbed “Regin.”

The threat, believed to be used for intelligence gathering by a nation-state, was uncovered last November and linked to attack operations dating back to 2008, security firm Symantec said at the time. Now, researchers at Kaspersky have analyzed two modules of the malware, called “Hopscotch” and “Legspin.”

In a Thursday blog post, Costin Raiu, director of the global research and analysis team at Kaspersky Lab, and researcher Igor Soumenkov, detailed the modules' purposes. Both modules were designated as stand-alone tools, with Legspin, a backdoor, dating as far back as 2002, and Hopscotch described as a newer tool used for lateral movement within targeted networks.

Kaspersky noted that Hopscotch runs inside a virtual machine, and is capable of using two routines to authenticate itself using “previously acquired credentials”– connecting to  the standard share called “IPC$, or logging on as a local user that has desired user rights, the blog said.

The Hopscotch module ultimately sets up a “two-way encrypted communication channel” with the remote payload it launches, using the RC4 algorithm to protect data extracted and sent to operators and asymmetric encryption to hide the initial key exchange that takes place, Kaspersky said.

“Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation,” the blog post continued.

The other module, Legspin, was described as a “powerful backdoor,” that allows its operator to carry out a number of administrative actions.

“Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user,” Kaspersky revealed.

In a Friday interview with, Raiu said that Kaspersky specifically examined Hopscotch and Legspin because the tools “can also work independently [of Regin] and both have been created so that they can be operated from the command line of one of the Regin attackers.”

He later added that, of the Regin infections which span 27 organizations in 14 countries, the Legspin module was deployed in only one attack.

“Legspin is quite rare and we've seen just one instance where this backdoor was used [by Regin's operators],” Raiu said. “There is a chance that people may find this backdoor on their networks with a different [family] of malware,” he noted.

Given the sophistication of the Regin attackers, Raiu said that it is unlikely they will abandon these operations anytime soon – though they might “wait for the buzz to dissipate then come with new tools or tactics” to target organizations.

Back in November, Kaspersky said that victims of Regin included telecom operators, government institutions, multi-national political bodies, financial institutions and research entities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.