A new backdoor that has seemingly been developed to compromise corporate networks has been discovered by FireEye‘s researcher Atif Mushtaq, and made him speculate that – taking in consideration the recent emergence of other powerful backdoors – some criminals have begun looking beyond stealing only that which is immediately available on a system.
This backdoor is dubbed Vinself, and has the following capabilities:
- Custom obfuscation techniques are used to communicate over HTTP with C&Cs – currently, one in Spain and one in the U.S.
- Records vital system information, encrypts it and sends it out
- Ability to hibernate for a protracted period of time – at start up, it looks for a file called winfont.cpl, reads the date in it and activates itself on that date. If there is no such file on the system, it activates itself immediately
- Ability to pass through browser configured proxies, indicating that it was likely designed to target corporate networks behind firewalls.