Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [1]

ID: S0019
Aliases: Regin
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1116Code SigningRegin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.[1]
EnterpriseT1090Connection ProxyRegin leveraged several compromised universities as proxies to obscure its origin.[1]
EnterpriseT1094Custom Command and Control ProtocolThe Regin malware platform can use ICMP to communicate between infected computers.[1]
EnterpriseT1056Input CaptureRegin contains a keylogger.[1]
EnterpriseT1112Modify RegistryRegin appears to have functionality to modify remote Registry information.[1]
EnterpriseT1040Network SniffingRegin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[1]
EnterpriseT1096NTFS File AttributesThe Regin malware platform uses Extended Attributes to store encrypted executables.[1]
EnterpriseT1071Standard Application Layer ProtocolThe Regin malware platform supports many standard protocols, including HTTP, HTTPS, and SMB.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolThe Regin malware platform can use ICMP to communicate between infected computers.[1]
EnterpriseT1077Windows Admin SharesThe Regin malware platform can use Windows admin shares to move laterally.[1]

References