they are not the one in and out attack
they are deliberate operations that consist of different stages with as only goal to get information on a longterm basis with all the necessary rights and in which it is paramount not to be discovered too fast and to have enough backdoors to get the information without being discovered
it is just like an espionage operation, nothing more - nothing less
1. you drop a file on the computer and wait to see if it passes the defenses and virusanalyses and if the user has enough rights to install it (that is why installing files should be the exception for users, not the rule)
2. than you load the files that are in the dropper and you start loading them with the next startup after which it drops its files in the kernel so that they won't be seen by the antivirus (or very rarely)
3. you start looking at the files of the user, his passwords, his connections and routines and you start working
The definition of the process by Symantec is a perfect description of an espionage operation
"As outlined in a new technical whitepaper from Symantec, Backdoor.Regin is a multi-staged threat and each stage is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Each individual stage provides little information on the complete package. Only by acquiring all five stages is it possible to analyze and understand the threat.
this is why I personally think that securitypeople in highly confidential and strategic networks should read and learn more about espionage and espionage operations
this is no different
probably it is even made by an espionage agency and by people who are programmers but who are trained as spies and think like spies and have the same goals and strategies and reflexes like spies
and thus my last quote just proofs my case, it is espionageware written by spies for spies
"What makes Regin different is who it attacks. Instead of going only after high-worth targets, Regin attacks many different targets in an attempt to piece together contextual information. Of the 9% of Regin attacks in the hospitality industry, 4% targeted low-level computers, presumably for this information.
“The average person needs to be aware,” O’Murchu says. “A lot of the infections are not the final target. They are third parties providing some extra information to get to a final target. Lot of people think, ‘I don’t have anything of importance, why would anyone get on my computer?’ Ordinary people who may not think they’re targets in fact are.”http://fortune.com/2014/11/23/regin-malware-surveillance/?xid=yahoo_fortune
this is nothing other but an operation - an intelligence operation