'miniFlame' Ignites Cyber Espionage - Kaspersky Lab's Uncovers new Malware

By Peter Bernstein October 16, 2012

If you are like me – a tad paranoid and hence mindful of things related cyber warfare and espionage – you likely have the home page of the super sleuths at Kaspersky Lab (KL) book marked. However, if you are from the school of “what I don’t know can’t hurt me,” you may have missed the most recent findings from KL about their discovery of miniFlame, “a small and highly flexible malicious program designed to steal data and control infected systems during targeted espionage operations.”

Flame on    

miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module. However, in September 2012, Kaspersky Lab’s found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware. Analysis showed several versions were created between 2010 and 2011, with some variants still active. As KL points out also troubling was evidence of cooperation between the creators of Flame and Gauss.

Major findings of the analysis of miniFlame include:

  • miniFlame, aka SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside Flame and Gauss.
  • miniFlame operates as a backdoor designed for data theft and direct access to infected systems.
  • Development of miniFlame might have started in 2007 and continued until the end of 2011. Kaspersky Lab has identified six variants, covering two major generations: 4.x and 5.x.
  • Unlike Flame or Gauss, which had high numbers of infections, KL estimates miniFlame infections worldwide at 50-60.
  • The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

The researchers concluded that: “…All these advanced threats come from the same ‘cyber warfare’ factory.” What they have yet to determine is who is behind the factory. 

Very powerful

The level of sophistication behind the entire family of Flame/Gauss malware is frightening.  Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. It adds that other info-stealing capabilities include:

  • Making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client.
  • miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or “shared” with Flame’s C&Cs).
  • Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented:

“miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”

Since this is as Gostev explained a “weapon” in cyber wars don’t expect its creators to self-identify.  Variants of this type of malware have been rumored as the tools by which Western nations disrupted Iran’s nuclear capability. However, recent concentration of the factory on disrupting banking activities means the list of those behind the efforts is pretty large. 

Kaspersky Lab thanked CERT-Bund/BSI for their help, and provided the following links for those interested in additional details: The blog post at Securelist.com, and the full report on miniFlame from Securelist.com as well.

The good news is that it is reassuring to know Kaspersky Lab is on the case. The bad news is that it is probable if not likely that Flame, Gauss and now miniFlame are nation state sponsored. And, while the goal of the International Telecommunications Union is to mitigate the risks posed by cyber-weapons and achieve global cyber-peace, unfortunately it is hard to imagine a scenario where the creators of such malware, whether state-sponsored or nor, are likely to disarm. As the late great baseball pitcher Satchel Paige said, “Don’t look back they might be gaining on you!”



SHARE THIS ARTICLE
Related Articles

WannaCry Ransomware Holds Files Hostage: Best Practices to Avoid Being a Victim

By: Special Guest    5/23/2017

More than 200,000 computers in more than 150 countries were crippled by a massive ransomware attack, dubbed WannaCry, and security experts warned that…

Read More

LeoSat Secures Japanese Investment for Enterprise Broadband Satellite Network

By: Doug Mohney    5/23/2017

Another broadband satellite cloud network moved closer to reality this month, with LeoSat securing an investment from SKY Perfect JSAT (SJC) Corporati…

Read More

Organizations Can Combat WannaCry & Jaff Ransomware With Well Instrumented DNS

By: Special Guest    5/22/2017

The Infoblox Intelligence Unit observed two global malware outbreaks on Friday, May 12. Although there is no indication that the two attacks were rela…

Read More

The WannaCry Attack Was Years in the Making

By: Kayla Matthews    5/19/2017

WannaCry doesn't operate like you'd expect. That is, it's not a seedy application or form of spam that self-installs on your computer because you clic…

Read More

Google Crosses Lines, Puts Google Assistant on iPhone

By: Steve Anderson    5/18/2017

Google threatens Siri's dominance on iPhone by offering Google Assistant on the device.

Read More