Threat Database Trojans HIPS/RegMod-012


By ESGI Advisor in Trojans

The most important malware threat detected in May of 2012 is the Flame worm, an extremely dangerous malware infection that seems to have emerged from the country of Iran. Unlike Flame, which many experts believe was created in order to attack and destabilize Iran's government, HIPS/RegMod-012 is seemingly targeted towards citizens of this country and especially dissidents and political activists. The HIPS/RegMod-012 attack is reminiscent of other attacks carried out against political activists in regions like Syria or Tibet, often taking advantage of these groups' desire to remain anonymous through the use of encryption tools or privacy-enabling tools.

HIPS/RegMod-012 is Disguised as a Legitimate Encryption Tool

Many Iranian citizens use a free encryption tool known as Simurgh in order to protect themselves from oppression from their government. ESG malware analysts have detected that HIPS/RegMod-012 is disguised as legitimate versions of this security program. Simurgh allows setting up an encrypted proxy server, and is also used by other political dissidents in the Middle East. Simurgh allows computer users to conceal their online activity and to bypass government blocks on certain websites. While Simurgh can be downloaded for free from its creators' official web page, simurghesabz(dot)net, ESG security analysts have detected malicious versions of Simurgh (often containing hidden Trojan infections) on popular torrent websites.

Differentiating the Real Simurgh from HIPS/RegMod-012

The legitimate version of Simurgh requires no installation, since it is created for people requiring quick anonymity when accessing computer systems from public access points such as Internet cafes or unencrypted wireless networks. In fact, Simurgh is designed to be installed on a memory stick or SD card so that a computer user can quickly pop it into the computer system they are using and access the Internet anonymously. The most apparent way to differentiate the real Simurgh from trojanized versions such as HIPS/RegMod-012; these will often have an installation dialog. Once 'installed', HIPS/RegMod-012 starts spying on the victim's activity. This malware infection is very thorough and gathers all kinds of sensitive information. HIPS/RegMod-012 then submits this information to American servers that seem to be registered to a Saudi entity.


Most Viewed