One of three previously unseen pieces of malware discovered during forensic analysis of the Flame malware command-and-control servers has been identified as a secondary surveillance tool deployed against specially identified targets, and only after an initial Flame or Gauss compromise, researchers said today.
MiniFlame, or SPE, was originally thought to be a Flame module, but researchers at Kaspersky Lab and CERT-Bund/BSI determined the program can stand alone as an independent piece of malware, or run as a plug-in for both Flame and Gauss, another state-sponsored attack kit focused on stealing online banking credentials.
“After data is collected [by Flame] and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage,” said Alexander Gostev, chief security expert at Kaspersky. Gostev added that his team’s research further cements the tie-ins between the authors of Stuxnet, Duqu, Flame and Gauss.
MiniFlame has infected far fewer machines than its siblings (10-20 compromises vs. 700 Flame incidents and 2,500 Gauss incidents) and doesn’t have the same geographical preferences. Six miniFlame variants have been found to date and most of its infections have been found in Lebanon. Flame primarily attacked machines in Iran, Israel, Sudan and Syria.
“This indicates that [miniFlame] is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and posing the greatest interest to the attackers,” a blog post on Securelist said this morning.
MiniFlame is essentially a backdoor. The attackers are able to use it to retrieve any file from an infected machine, or create screenshots while the computer is running a Web browser, Office application, Adobe Reader, instant messenger service or FTP client, Kaspersky said. The malware then uploads what it has stolen to either a dedicated command-and-control server, or one of the Flame C&Cs. The malware also has the capability of infecting a machine with another module that attacks USB drives, using them to store data if a machine is running offline.
“If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” the Securelist post said.
MiniFlame is architecturally similar to Flame, and not only operates as data-stealing malware, but provides attackers direct access to infected systems. Researchers believe development of miniFlame began in 2007 and continued into this year. Kaspersky was able to sinkhole several Flame command-and-control domains and miniFlame domains. Between the end of May and the end of September, researchers saw close to 14,000 connections from 90 different IP addresses to those domains, most to servers in Lebanon, but some proxies in France, the United States and Iran.
The researchers were also able to monitor 10 commands understood by the malware, instructing everything from writing and sending files to and from the command-and-control servers, to creating screenshots for predefined processes, to sleeping for specified periods of time.
The original analysis of the Flame C&C which led to the miniFlame discovery, was reported in September. Researchers from Kaspersky, Symantec, CERT-Bund/BSI and the International Telecommunication Union’s Impact Alliance combined to find three new pieces of malware in addition to Flame and four communications protocols– OldProtocol; OldProtocolE; SignupProtocol; and RedProtocol (still under development)–used by the malware to connect to command and control.
The discovery of SPE leaves two more pieces of malware unidentified: SP and IP. Researchers deduce that SP could be an older version of miniFlame/SPE while IP remains unknown. IP is the most recent malware coming from this group, the researchers said. Analysis of the C&C servers in September also determined at least four programmers are on the team behind the attacks, each with varying levels of expertise; additional confirmation was also made that sophisticated cryptography is being used to encrypt data as it’s sent between the victims’ machines and the C&C servers.
“With Flame, Gauss and miniFlame, we have probably only scratched the surface of the massive cyber-spy operations ongoing in the Middle East. Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown,” the miniFlame report said.
