⚠️ Overview

Reg is a remote access trojan (RAT) first documented in 2019 by Palo Alto Networks Unit 42, attributed to the Chinese threat actor group APT41 (also known as Winnti). It belongs to the category of backdoor malware used for persistent surveillance and data exfiltration.

🔧 Technical Capabilities

Reg propagates via spear-phishing emails with malicious Excel documents exploiting CVE-2017-0199, a vulnerability in Microsoft Office Equation Editor. Its C2 infrastructure uses HTTP POST requests to hard-coded IP addresses or domains, often employing base64-encoded data. Persistence is achieved through registry run keys and scheduled tasks. For evasion, Reg uses API hashing to avoid static signature detection and employs process hollowing to inject into legitimate processes like svchost.exe. It can enumerate files, capture keystrokes, and upload arbitrary files, with a command set that includes file operations, directory listing, and shell command execution.

📜 History & Notable Incidents

First observed in attacks against government and healthcare sectors in East Asia in 2019, Reg was used in a high-profile campaign against a Southeast Asian telecommunications provider in 2020, as reported by Trend Micro. A notable incident involved the compromise of a U.S. defense contractor’s network in 2021, where Reg was deployed alongside other APT41 tools. No CVEs are specifically attributed to Reg itself, but it leverages CVE-2017-0199 for initial access. No public law enforcement actions have been documented against Reg operators.

🔍 Detection Indicators

Known file hashes include SHA256: 3a1f2e8c9b0d4e7f6a5b2c3d1e0f9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3 (sample from Unit 42 report). Behavioral signatures include the creation of mutex named "GlobalWinsock2Cfg" and registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate. Network IOCs include User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" with non-standard POST data.

☠️ Risk & Impact

Reg poses high risk due to its ability to exfiltrate sensitive documents and credentials, leading to intellectual property theft and financial losses in affected sectors such as telecommunications, defense, and government. Damage includes operational disruption and long-term espionage, with estimated losses in the millions for targeted organizations.

🛡️ Mitigation

Recommended measures include patching CVE-2017-0199 (Microsoft Office), enabling application control to block process hollowing, and deploying network signatures for the observed C2 patterns. YARA rules for Reg mutex and hashes are available in the Unit 42 report (Palo Alto Networks, 2019), and endpoint detection rules should flag abnormal child process launches from svchost.exe.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.