Vinself – a backdoor for corporate networks?

A new backdoor that has seemingly been developed to compromise corporate networks has been discovered by FireEye‘s researcher Atif Mushtaq, and made him speculate that – taking in consideration the recent emergence of other powerful backdoors – some criminals have begun looking beyond stealing only that which is immediately available on a system.

This backdoor is dubbed Vinself, and has the following capabilities:

  • Custom obfuscation techniques are used to communicate over HTTP with C&Cs – currently, one in Spain and one in the U.S.
  • Records vital system information, encrypts it and sends it out
  • Ability to hibernate for a protracted period of time – at start up, it looks for a file called winfont.cpl, reads the date in it and activates itself on that date. If there is no such file on the system, it activates itself immediately
  • Ability to pass through browser configured proxies, indicating that it was likely designed to target corporate networks behind firewalls.