Meet Flame Espionage Malware Cousin: MiniFlame

  /     /     /  
Publicated : 22/11/2024   Category : security


Meet Flame Espionage Malware Cousin: MiniFlame


Suspected Flame module turns out to be standalone attack code in use since at least 2010, described as targeted cyberweapon for conducting in-depth surveillance and espionage.



Ongoing teardowns of the Flame malware and its underlying components have yielded a surprising discovery: a new piece of malware.
Security researchers at Kaspersky Lab said that what they previously suspected was an
attack module
for the Flame malware is instead a standalone piece of attack code, although it can do double duty as a plug-in for both the Flame and Gauss malware. Designed for data theft and for providing attackers with direct access to an infected system, MiniFlame is based on the same architectural platform as Flame, according to Kaspersky Lab.
MiniFlame is a high-precision attack tool, said Alexander Gostev, chief security expert at Kaspersky Lab, in an emailed statement. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack ... to conduct more in-depth surveillance and cyber-espionage.
[ Could a cyber arms agreement help forestall cyber warfare? See
The Case For A Cyber Arms Treaty
. ]
The MiniFlame code had previously been referred to as SPE in Flames
command-and-control (C&C) server
code, but not found in the wild. The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use, read a
blog post
from Symantec. The security company said that its now updated its antivirus software to spot and block the MiniFlame malware, which its dubbed W32.Flamer.B.
Just how highly targeted is MiniFlame? Kaspersky Lab estimates that only 50 to 60 machines in the world have ever been infected by the malware. These are highly focused attacks--what people call advanced, persistent threats--that are designed to fly under the radar and not be found, Eric Byres, CTO and VP engineering at Tofino Security, which is owned by Belden, said via phone. In the old days, when someone created malware, it practically broadcast its presence. Today its narrow, focused, and targeted, and darned hard to find.
Heres what the malware can do: Once installed, MiniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine, according to research from Kaspersky Lab. The malware can also capture screenshots from infected PCs when people use a specified application, IM service, or FTP client, or send data to a C&C server. Separately, at the request from MiniFlames C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data thats collected from infected machines without an Internet connection, said Kaspersky Lab.
To date, Kaspersky Lab said its found six different versions of MiniFlame, all created in 2010 or 2011, and at least two are still being used in active attacks. In terms of dating the malwares origins, researchers have found signs in the code base that development of the malware began, at latest, in 2007.
The teardown of MiniFlame remains ongoing, and there are numerous related questions that have yet to be answered. Its interesting that one of the MiniFlame files had Versioninfo from Australia, tweeted Mikko Hypponen, chief research officer at F-Secure, after reviewing the current research, and that Gauss used encryption key 0xACDC. This, he added, is an apparent reference to the
Australian hard rock band AC/DC
.
To recap the malware family tree:
Flame was discovered
in May 2012. It was initially dismissed by some security researchers as bloatware, in part because of the applications size--20 MB with all modules installed, versus an average of up to 1 MB for most other malware. But ongoing analysis of Flame yielded numerous surprises, including its designers having
tapped world-class crypto
to imbue the malware with the ability to spoof Windows Update and automatically install itself on targeted computers.
Further analysis of the Flame code base also turned up some
apparent ties to Stuxnet
, which in turn is
related to Duqu
.
Meanwhile, in August 2012, security researchers
unearthed the Gauss malware
, which was designed for highly targeted banking credential attacks, principally for customers of
Lebanese banks
. Given the targets, as well as the fact that Gauss was written in English, security watchers suspect that it was built by a Western nation state.
Based on code reviews, security researchers also believe
Flame was commissioned
by the same nation state that commissioned Stuxnet, although built by a different set of developers. Since U.S. government officials have
taken credit for creating Stuxnet
--although not Flame--that suggests that the United States has been behind not only Flame, but also Gauss, and now MiniFlame.
MiniFlames ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss, according to Kaspersky Labs research. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same cyber warfare factory.
But what researchers havent yet discovered is how MiniFlame would have infected computers. Since no related dropper--an application program that is used to infect machines with desired malware--has been found, researchers suspect that MiniFlame may have been dropped on targeted PCs by either the Flame or Gauss malware. Likewise, researchers havent found any dedicated MiniFlame C&C servers, which means it may be administered using Flames C&C servers.
Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report,
Using Google To Find Vulnerabilities In Your IT Environment
, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Meet Flame Espionage Malware Cousin: MiniFlame