Kaspersky discovers miniFlame cyberespionage malware directly linked to Flame and Gauss

MiniFlame serves as a backdoor that gives attackers direct access to infected computers

Security researchers from Kaspersky Lab have identified another piece of malware targeting the Middle East that is likely part of the interrelated cyberespionage efforts behind Stuxnet, Duqu, Flame and Gauss.The malware was dubbed miniFlame because its code suggests that it was built on the same platform as the highly sophisticated Flame threat discovered in May. However, the functionality of miniFlame -- called SPE by its authors -- is different.

"Flame and Gauss are mostly about data and information stealing," Roel Schouwenberg, a senior researcher at Kaspersky Lab, said Monday via email. "MiniFlame serves as a backdoor which gives the operator direct access to an infected machine. So yes, the functionality and intent is different.""If Flame and Gauss were massive spy operations, infecting thousands of users, SPE/miniFlame is a high precision espionage tool," the Kaspersky researchers said Monday in a blog post that details their findings.MiniFlame can function independently on a computer, but also as a Flame or, more surprisingly, as a Gauss module.Kaspersky researchers had previously established a relationship between Flame and Gauss based on code similarities, but miniFlame's ability to function as a module for both threats represents the most conclusive proof that they are related."We can assume this malware was part of the Flame and Gauss operations which took place in multiple waves," the Kaspersky researchers said. "First wave: infect as many potentially interesting victims as possible. Secondly, data is collected from the victims, allowing the attackers to profile them and find the most interesting targets. Finally, for these 'select' targets, a specialized spy tool such as SPE/miniFlame is deployed to conduct surveillance/monitoring."

The method used to infect computers with miniFlame has not been established yet, but the researchers believe that the malware might be downloaded and installed by Flame or Gauss. This is because most of the miniFlame-infected computers have also been infected with Flame or Gauss in the past.

"It is also possible that SPE is part of some sort of main Flame dropper (as yet undiscovered), or is in fact the unknown encrypted payload which was distributed by Gauss on USB disks," the Kaspersky researchers said.

"The Flame self-destruction plug-in does not delete any SPE files," Schouwenberg said. "It has to be removed separately. We need to view miniFlame as a separate operation to the others, so it makes sense. We can assume the authors hoped SPE would go unnoticed after Flame's (and Gauss') discovery."MiniFlame is capable of downloading files from a command and control (C&C) server, uploading a file from the machine to the server, loading a specified DLL file, creating a process with given parameters or taking screen shots of the active window if it belongs to a program from a list.The list of programs targeted by the screen shot functionality includes instant messaging applications, browsers, document editors, development tools and others.A special version of miniFlame, which is installed on a case-by-case basis, is capable of infecting USB drives with a component that collects information from computers in which the drive is subsequently inserted.An analysis of the Flame C&C servers that was performed by Kaspersky Lab in partnership with Symantec, ITU-IMPACT and CERT-Bund/BSI, revealed that the servers supported four communication protocols dubbed OldProtocol, OldProtocolE, SignupProtocol and RedProtocol.The analysis also showed that these communication protocols were used by four separate threats called SP, SPE, FL and IP. FL, which is believed to be Flame, and SP -- possibly an older version of SPE/miniFlame -- use OldProtocol. SPE uses OldProtocolE, while IP, which hasn't been found yet, uses SignupProtocol. RedProtocol is mentioned in the server software, but has not been implemented yet.MiniFlame was discovered at the beginning of July, but has been used since at least 2010. The Kaspersky researchers have found six samples of the malware dating from 2010 and 2011 and have reason to believe that the communication protocol used by the malware was created in 2007 or earlier."We believe that the developers of miniFlame created dozens of different modifications of the program," the Kaspersky researchers said.Kaspersky estimates the total number of miniFlame infections at between 50 and 60, far fewer than the number of Flame infections -- 5,000 to 6,000 -- or Gauss infections -- approximately 10,000."The modification known as '4.50' is mostly found in Lebanon and Palestine," the researchers said. "The other variants were found in other countries, such as Iran, Saudi Arabia and Qatar."Some IP (Internet Protocol) addresses associated with miniFlame-infected computers that contacted the C&C servers between May and September were from the U.S., France and Lithuania. Some of them correspond to proxy or VPN servers that might have been used by the malware's victims, but others do not."With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East," the Kaspersky researchers said. "Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?