Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [1]

ID: S0019
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 29 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 Application Layer Protocol

The Regin malware platform supports many standard protocols, including SMB.[1]

.001 Web Protocols

The Regin malware platform supports many standard protocols, including HTTP and HTTPS.[1]

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

The Regin malware platform uses Extended Attributes to store encrypted executables.[1]

.005 Hide Artifacts: Hidden File System

Regin has used a hidden file system to store some of its components.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Regin contains a keylogger.[1]

Enterprise T1036 .001 Masquerading: Invalid Code Signature

Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.[1]

Enterprise T1112 Modify Registry

Regin appears to have functionality to modify remote Registry information.[1]

Enterprise T1040 Network Sniffing

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[1]

Enterprise T1095 Non-Application Layer Protocol

The Regin malware platform can use ICMP to communicate between infected computers.[1]

Enterprise T1090 .002 Proxy: External Proxy

Regin leveraged several compromised universities as proxies to obscure its origin.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

The Regin malware platform can use Windows admin shares to move laterally.[1]

References