W32/Regin.A!tr

description-logoAnalysis


  • This malware has gained exposure due to the discovery that it was linked with possible state-sponsored espionage. Initial samples of this malware have been traced back to 2008. Most of the samples related to this are in low-level kernel driver format.

  • The malware has the capability to drop the following kernel driver file:
    • usbclass.sys ("Universal Serial Bus Class Driver"): This file is also detected as W32/Regin.A!tr.

  • Based on initial analysis, the malware has been observed to be capable of the following behavior:
    • Monitor network traffic
    • Update itself through a remote C&C server
    • Steal passwords

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2021-02-16 84.08100 Sig Updated
2020-12-02 82.27000 Sig Updated
2020-10-25 81.34900 Sig Updated
2020-10-23 81.30100 Sig Updated
2018-10-02 62.63500 Sig Updated