New Corporate Espionage Backdoor Identified

A new backdoor specifically designed to target corporate networks for the purpose of stealing confidential documents, has been identified in highly targeted attacks.

The sophisticated piece of malware was discovered by researchers from security vendor FireEye, who warn that it gives attackers complete control over the infected systems.

Dubbed VinSelf, the backdoor has three components: a DLL file providing its main functionality, an executable responsible for hooking into the Internet Explorer process and a rootkit which makes sure the other two components are running.

The backdoor uses custom obfuscation techniques to communicate over HTTP with two command and control servers located in Spain and the United States.

System information is submitted to URLs generated based on the current date. The data is encrypted and has a GIF header, similarly to the backdoors distributed via the recent IE zero-day.

Among other things, the backdoor allows attackers to execute commands on the infected systems, as well as download any files from them and launch any programs.

There is clear evidence that this piece of malware was designed to work from behind firewalls, which points to corporate networks being the primary targets.

In addition, the backdoor has an unusual hibernation capability. It searches for a file called winfont.cpl in the system32 folder and doesn't activate itself until the date specified within.

"The emergence of new and powerful backdoors and their use in the targeted attacks is evidence showing that modern malware is not only used to steal user's credit cards or send spam," says Atif Mushtaq, a security research engineer at FireEye.

"There are many out-and-out criminal gangs (some with potential political affiliations) who are after something more than material gains. They develop targeted malware to get into sensitive networks and then loiter wating for the chance to snatch confidential documents and/or intellectual property," he warns.