Vulnerabilities / Threats
11:53 AM

Meet Flame Espionage Malware Cousin: MiniFlame

Suspected Flame module turns out to be standalone attack code in use since at least 2010, described as targeted cyberweapon for conducting in-depth surveillance and espionage.

Ongoing teardowns of the Flame malware and its underlying components have yielded a surprising discovery: a new piece of malware.

Security researchers at Kaspersky Lab said that what they previously suspected was an attack module for the Flame malware is instead a standalone piece of attack code, although it can do double duty as a plug-in for both the Flame and Gauss malware. Designed for data theft and for providing attackers with direct access to an infected system, MiniFlame is based on the same architectural platform as Flame, according to Kaspersky Lab.

"MiniFlame is a high-precision attack tool," said Alexander Gostev, chief security expert at Kaspersky Lab, in an emailed statement. "Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack ... to conduct more in-depth surveillance and cyber-espionage."

[ Could a cyber arms agreement help forestall cyber warfare? See The Case For A Cyber Arms Treaty. ]

The MiniFlame code had previously been referred to as "SPE" in Flame's command-and-control (C&C) server code, but not found in the wild. "The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use," read a blog post from Symantec. The security company said that it's now updated its antivirus software to spot and block the MiniFlame malware, which it's dubbed "W32.Flamer.B."

Just how highly targeted is MiniFlame? Kaspersky Lab estimates that only 50 to 60 machines in the world have ever been infected by the malware. "These are highly focused attacks--what people call advanced, persistent threats--that are designed to fly under the radar and not be found," Eric Byres, CTO and VP engineering at Tofino Security, which is owned by Belden, said via phone. "In the old days, when someone created malware, it practically broadcast its presence. Today it's narrow, focused, and targeted, and darned hard to find."

Here's what the malware can do: Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab. The malware can also capture screenshots from infected PCs when people use a specified application, IM service, or FTP client, or send data to a C&C server. "Separately, at the request from MiniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an Internet connection," said Kaspersky Lab.

To date, Kaspersky Lab said it's found six different versions of MiniFlame, all created in 2010 or 2011, and at least two are still being used in active attacks. In terms of dating the malware's origins, researchers have found signs in the code base that development of the malware began, at latest, in 2007.

The teardown of MiniFlame remains ongoing, and there are numerous related questions that have yet to be answered. "It's interesting that one of the MiniFlame files had Versioninfo from Australia," tweeted Mikko Hypponen, chief research officer at F-Secure, after reviewing the current research, "and that Gauss used encryption key 0xACDC." This, he added, is an apparent reference to the Australian hard rock band AC/DC.

To recap the malware family tree: Flame was discovered in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the application's size--20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having tapped world-class crypto to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.

Further analysis of the Flame code base also turned up some apparent ties to Stuxnet, which in turn is related to Duqu.

Meanwhile, in August 2012, security researchers unearthed the Gauss malware, which was designed for highly targeted banking credential attacks, principally for customers of Lebanese banks. Given the targets, as well as the fact that Gauss was written in English, security watchers suspect that it was built by a Western nation state.

Based on code reviews, security researchers also believe Flame was commissioned by the same nation state that commissioned Stuxnet, although built by a different set of developers. Since U.S. government officials have taken credit for creating Stuxnet--although not Flame--that suggests that the United States has been behind not only Flame, but also Gauss, and now MiniFlame.

"MiniFlame's ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss," according to Kaspersky Lab's research. "Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory."

But what researchers haven't yet discovered is how MiniFlame would have infected computers. Since no related dropper--an application program that is used to infect machines with desired malware--has been found, researchers suspect that MiniFlame may have been dropped on targeted PCs by either the Flame or Gauss malware. Likewise, researchers haven't found any dedicated MiniFlame C&C servers, which means it may be administered using Flame's C&C servers.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Verdumont Monte
Verdumont Monte,
User Rank: Apprentice
10/16/2012 | 7:14:24 PM
re: Meet Flame Espionage Malware Cousin: MiniFlame
Here we are thinking we are "safe" from malware, since we have a AV product, and these kind of new "spyware" (literally, since spy agencies use it ) being discovered. I wonder how much effort/time/money had gone into these. Instead the government could have invested that money in a FOSS app or could have created something / helped with Linux , which could have yielded something useful. I wonder how much of malware is still in their arsenal.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.