Skip to content

S0019 Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. 1

Item Value
ID S0019
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 29 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol The Regin malware platform supports many standard protocols, including SMB.1
enterprise T1071.001 Web Protocols The Regin malware platform supports many standard protocols, including HTTP and HTTPS.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes The Regin malware platform uses Extended Attributes to store encrypted executables.1
enterprise T1564.005 Hidden File System Regin has used a hidden file system to store some of its components.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Regin contains a keylogger.1
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.1
enterprise T1112 Modify Registry Regin appears to have functionality to modify remote Registry information.1
enterprise T1040 Network Sniffing Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.1
enterprise T1095 Non-Application Layer Protocol The Regin malware platform can use ICMP to communicate between infected computers.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy Regin leveraged several compromised universities as proxies to obscure its origin.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares The Regin malware platform can use Windows admin shares to move laterally.1

References