Ongoing teardowns of the Flame malware and its underlying components have yielded a surprising discovery: a new piece of malware.Security researchers at Kaspersky Lab said that what they previously suspected was an attack module for the Flame malware is instead a standalone piece of attack code, although it can do double duty as a plug-in for both the Flame and Gauss malware. Designed for data theft and for providing attackers with direct access to an infected system, MiniFlame is based on the same architectural platform as Flame, according to Kaspersky Lab.”MiniFlame is a high-precision attack tool,” said Alexander Gostev, chief security expert at Kaspersky Lab, in an emailed statement. “Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack … to conduct more in-depth surveillance and cyber-espionage.”
The MiniFlame code had previously been referred to as “SPE” in Flame’s command-and-control (C&C) server code, but not found in the wild. “The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use,” read a blog post from Symantec. The security company said that it’s now updated its antivirus software to spot and block the MiniFlame malware, which it’s dubbed “W32.Flamer.B.”
Just how highly targeted is MiniFlame? Kaspersky Lab estimates that only 50 to 60 machines in the world have ever been infected by the malware. “These are highly focused attacks–what people call advanced, persistent threats–that are designed to fly under the radar and not be found,” Eric Byres, CTO and VP engineering at Tofino Security, which is owned by Belden, said via phone. “In the old days, when someone created malware, it practically broadcast its presence. Today it’s narrow, focused, and targeted, and darned hard to find.”
Here’s what the malware can do: Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab. The malware can also capture screenshots from infected PCs when people use a specified application, IM service, or FTP client, or send data to a C&C server. “Separately, at the request from MiniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an Internet connection,” said Kaspersky Lab.
To date, Kaspersky Lab said it’s found six different versions of MiniFlame, all created in 2010 or 2011, and at least two are still being used in active attacks. In terms of dating the malware’s origins, researchers have found signs in the code base that development of the malware began, at latest, in 2007.
The teardown of MiniFlame remains ongoing, and there are numerous related questions that have yet to be answered. “It’s interesting that one of the MiniFlame files had Versioninfo from Australia,” tweeted Mikko Hypponen, chief research officer at F-Secure, after reviewing the current research, “and that Gauss used encryption key 0xACDC.” This, he added, is an apparent reference to the Australian hard rock band AC/DC.
To recap the malware family tree: Flame was discovered in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the application’s size–20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having tapped world-class crypto to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.
Meanwhile, in August 2012, security researchers unearthed the Gauss malware, which was designed for highly targeted banking credential attacks, principally for customers of Lebanese banks. Given the targets, as well as the fact that Gauss was written in English, security watchers suspect that it was built by a Western nation state.
Based on code reviews, security researchers also believe Flame was commissioned by the same nation state that commissioned Stuxnet, although built by a different set of developers. Since U.S. government officials have taken credit for creating Stuxnet–although not Flame–that suggests that the United States has been behind not only Flame, but also Gauss, and now MiniFlame.
“MiniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss,” according to Kaspersky Lab’s research. “Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same ‘cyber warfare’ factory.”
But what researchers haven’t yet discovered is how MiniFlame would have infected computers. Since no related dropper–an application program that is used to infect machines with desired malware–has been found, researchers suspect that MiniFlame may have been dropped on targeted PCs by either the Flame or Gauss malware. Likewise, researchers haven’t found any dedicated MiniFlame C&C servers, which means it may be administered using Flame’s C&C servers.