Regin
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .002 | 代理: External Proxy |
Regin leveraged several compromised universities as proxies to obscure its origin.[1] |
| Enterprise | T1036 | .001 | 伪装: Invalid Code Signature |
Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.[1] |
| Enterprise | T1112 | 修改注册表 |
Regin appears to have functionality to modify remote Registry information.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
The Regin malware platform supports many standard protocols, including HTTP and HTTPS.[1] |
| .002 | 应用层协议: File Transfer Protocols |
The Regin malware platform supports many standard protocols, including SMB.[1] |
||
| Enterprise | T1040 | 网络嗅探 |
Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging | |
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
The Regin malware platform can use Windows admin shares to move laterally.[1] |
| Enterprise | T1564 | .004 | 隐藏伪装: NTFS File Attributes |
The Regin malware platform uses Extended Attributes to store encrypted executables.[1] |
| .005 | 隐藏伪装: Hidden File System |
Regin has used a hidden file system to store some of its components.[1] |
||
| Enterprise | T1095 | 非应用层协议 |
The Regin malware platform can use ICMP to communicate between infected computers.[1] |
|