I recently came across a new piece of Modern Malware found to be involved in a highly targeted attack. My initial exploration into the malware revealed it to be a powerful backdoor with the capability to provide an attacker complete control over the infected system.

What's happening at the moment? A few weeks ago, we saw a powerful backdoor Pirpi exploiting the IE 0-day as part of some targeted attacks. Now comes Vinself. The emergence of new and powerful backdoors and their use in the targeted attacks is evidence showing that modern malware is not only used to steal user's credit cards or send spam. There is much more at stake as well.

There are many out-and-out criminal gangs (some with potential political affiliations) who are after something more than material gains. They develop targeted malware to get into sensitive networks and then loiter wating for the chance to snatch confidential documents and/or intellectual property. Cases like Vinself (where malware can fully function even if behind proxy firewalls) are also an indication that the main target here is not desktop users.

During the investigation, I found many interesting facts about this malware like the CnC protocol, the obfuscation in use and the backdoor capability etc. Today I would like to share some high level characteristics of this malware.

It was just a few days ago when Symantec disclosed a new 0-day vulnerability in Microsoft's Internet Explorer (versions 6, 7, and 8). They found at least one malware called 'Backdoor.Pirpi' that is actively exploiting this vulnerability in targeted email attacks posing as hotel reservation notifications. 

Here at FireEye labs, we have identified another type of Modern Malware called 'Hupigon' exploiting the same IE zero-day vulnerability. This malware looks to be more successful/reliable at infecting systems than Pirpi.

It is increasingly common that cyber criminals 'upgrade' Modern Malware with newly uncovered zero-day exploits. Now the question is, are the criminal masterminds behind this second wave of attacks the same as those behind the first wave?  In this article I will try to answer this question.

In order to find a link, let's compare these attacks side-by-side.