Flame, miniFlame, the mystery of an on going cyber espionage campaign

Pierluigi Paganini October 16, 2012

Last May The Iranian Computer Emergency Response Team (MAHER) detected a new targeted malware which hit the country, that has been named Flame, also known as Flamer or Skywiper, due the name of  its main attack module. MAHER wasn’t the only one to detect the agent, also Kaspersky Lab and CrySyS Lab identified the new dangerous malware, recognized as a powerful cyber espionage tool kit, that hit mainly Windows systems of Middle East area. The researcher demonstrated the state-sponsored origin and the link with the cyber weapon Stuxnet dating, in a first analysis, the development of the agent to the same period of the famous virus that hit Iran. Further analysis conducted in June demonstrated a disturbing scenario, according the investigation first use of Flame, initially thought to have begun in 2010, appeared to be the 2006 but what is surprising is that C&C server were able to use different communication protocol probably used to “converse” with different clients. The experts noted four different protocols used to control four different types of malware named SP, SPE, FL and IP where FL stands for Flame and according to the code analyzed the remaining clients are similar agents. The protocol are:

  1. OldProtocol
  2. OldProtocolE
  3. SignupProtocol
  4. RedProtocol (mentioned but not implemented)

Using traffic redirection to a “sinkhole” of the Botnet data the analysts distinguished two different streams respectively related to Flame and to another malicious agent, the SPE malware client demonstrating that it is operating in the wild. Following is proposed the graph related to the connection to C&C server starting on March 25th, it is possible to verify that 5377 unique IP addresses connected to the server located in Europe, 3700 connections were originated from Iran and around 1280 from the Sudan, that countries are the target of the attack.


Kaspersky blog post published today refers to the SPE agent naming it the “miniFlame” that is the agent uncovered during the investigation and highlighting that it is a smaller version of Flame module probably because it was developed before. Don’t let the name fool you, “miniFlame” malware is a fully functional espionage module designed for information gathering implemented as an independent module and is able to operate on infected machine also without the main Flame components. Mainly miniFlame acts as a backdoor on infected systems, allowing remote control by the attackers. What is interesting is the ability of miniFlame to work also with Gauss malware demonstrating a common origin of the offensive against the Middle East region. The Kaspersky blog post uses the words “cyber-weapon factory” and maybe it is not a case, these agent could also act for offensive purposes simply loading a specific module. The cyber-weapon factory appears to be very productive, Kaspersky team believes that the authors of Flame have created dozens of different agents, and many of them are probably yet to be discovered. Another singular revelation is related to the use of the C&C server, some of them were used exclusively to control the SPE others to control both SPE and Flame agents. The diffusion of miniFlame was limited respect Gauss and Flame maybe because it has been used as a surgical attack tool on very specific targets that have been considered strategic by the attackers.


SPE does not have a clear geographical bias, the researchers found the usage of different modification against different countries such as Lebanon, Iran, Kuwait, Palestine and Qatar. The two main locations of victims are Lebanon and Iran.



Looking Sinkhole statistics of miniFlame it is possible to note that between 28th of May 2012 and September 30th, the servers counted around 14,000 connections in total from about 90 different IPs.

What’s about the other malware not yet identified?

Researchers believe that SP could be an older version of miniFlame while there is the total mystery around IP agent. The main mystery is related to the authors of the massive cyber espionage campaign, Kaspersky report states:

“With Flame, Gauss and miniFlame, we have probably only scratched the surface of the massive cyber-spy operations ongoing in the Middle East. Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown,”

The question that is normal to ask ourselves is:

How many of these agents are around the cyber space and for how long?

Probability, the cyberspace is currently hosting different agents similar to those identified that can operate silently .. what will be the consequence?

Pierluigi Paganini



you might also like

leave a comment