S0019 Regin
Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. 1
| Item | Value |
|---|---|
| ID | S0019 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 29 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | The Regin malware platform supports many standard protocols, including SMB.1 |
| enterprise | T1071.001 | Web Protocols | The Regin malware platform supports many standard protocols, including HTTP and HTTPS.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | The Regin malware platform uses Extended Attributes to store encrypted executables.1 |
| enterprise | T1564.005 | Hidden File System | Regin has used a hidden file system to store some of its components.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Regin contains a keylogger.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.001 | Invalid Code Signature | Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.1 |
| enterprise | T1112 | Modify Registry | Regin appears to have functionality to modify remote Registry information.1 |
| enterprise | T1040 | Network Sniffing | Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.1 |
| enterprise | T1095 | Non-Application Layer Protocol | The Regin malware platform can use ICMP to communicate between infected computers.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | Regin leveraged several compromised universities as proxies to obscure its origin.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | The Regin malware platform can use Windows admin shares to move laterally.1 |