W32/Regin.A!tr
Analysis
- This malware has gained exposure due to the discovery that it was linked with possible state-sponsored espionage. Initial samples of this malware have been traced back to 2008. Most of the samples related to this are in low-level kernel driver format.
- The malware has the capability to drop the following kernel driver file:
- usbclass.sys ("Universal Serial Bus Class Driver"): This file is also detected as W32/Regin.A!tr.
- Based on initial analysis, the malware has been observed to be capable of the following behavior:
- Monitor network traffic
- Update itself through a remote C&C server
- Steal passwords
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |