Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.
When the virus is sent for a victim, It has all components,May someone explain for me how modular poses difficulties to analysis?
Regin stores data files and payloads on disk in encrypted virtual file system files. Such
files are accessed by the major routines 3Dh. Files stored inside EVFS containers are
encrypted with a variant of RC5, using 64-bit blocks and 20 rounds. The encryption
mode is reverse cipher feedback (CFB).
1- What is the payload?
2-" encrypted virtual file system files" May you explain about this?
A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing filesystem. By using a virtual filesystem, malware developers can both bypass antivirus scanners as well as complicating work for forensic experts.