Categories: MalwareSecurity

Flame, miniFlame, the mystery of an on going cyber espionage campaign

Last May The Iranian Computer Emergency Response Team (MAHER) detected a new targeted malware which hit the country, that has been named Flame, also known as Flamer or Skywiper, due the name of its main attack module. MAHER wasn’t the only one to detect the agent, also Kaspersky Lab and CrySyS Lab identified the new dangerous malware, recognized as a powerful cyber espionage tool kit, that hit mainly Windows systems of Middle East area. The researcher demonstrated the state-sponsored origin and the link with the cyber weapon Stuxnet dating, in a first analysis, the development of the agent to the same period of the famous virus that hit Iran. Further analysis conducted in June demonstrated a disturbing scenario, according the investigation first use of Flame, initially thought to have begun in 2010, appeared to be the 2006 but what is surprising is that C&C server were able to use different communication protocol probably used to “converse” with different clients. The experts noted four different protocols used to control four different types of malware named SP, SPE, FL and IP where FL stands for Flame and according to the code analyzed the remaining clients are similar agents. The protocol are:

OldProtocol
OldProtocolE
SignupProtocol
RedProtocol (mentioned but not implemented)

Using traffic redirection to a “sinkhole” of the Botnet data the analysts distinguished two different streams respectively related to Flame and to another malicious agent, the SPE malware client demonstrating that it is operating in the wild. Following is proposed the graph related to the connection to C&C server starting on March 25th, it is possible to verify that 5377 unique IP addresses connected to the server located in Europe, 3700 connections were originated from Iran and around 1280 from the Sudan, that countries are the target of the attack.

Kaspersky blog post published today refers to the SPE agent naming it the “miniFlame” that is the agent uncovered during the investigation and highlighting that it is a smaller version of Flame module probably because it was developed before. Don’t let the name fool you, “miniFlame” malware is a fully functional espionage module designed for information gathering implemented as an independent module and is able to operate on infected machine also without the main Flame components. Mainly miniFlame acts as a backdoor on infected systems, allowing remote control by the attackers. What is interesting is the ability of miniFlame to work also with Gauss malware demonstrating a common origin of the offensive against the Middle East region. The Kaspersky blog post uses the words “cyber-weapon factory” and maybe it is not a case, these agent could also act for offensive purposes simply loading a specific module. The cyber-weapon factory appears to be very productive, Kaspersky team believes that the authors of Flame have created dozens of different agents, and many of them are probably yet to be discovered. Another singular revelation is related to the use of the C&C server, some of them were used exclusively to control the SPE others to control both SPE and Flame agents. The diffusion of miniFlame was limited respect Gauss and Flame maybe because it has been used as a surgical attack tool on very specific targets that have been considered strategic by the attackers.

SPE does not have a clear geographical bias, the researchers found the usage of different modification against different countries such as Lebanon, Iran, Kuwait, Palestine and Qatar. The two main locations of victims are Lebanon and Iran.

Looking Sinkhole statistics of miniFlame it is possible to note that between 28th of May 2012 and September 30th, the servers counted around 14,000 connections in total from about 90 different IPs.

What’s about the other malware not yet identified?

Researchers believe that SP could be an older version of miniFlame while there is the total mystery around IP agent. The main mystery is related to the authors of the massive cyber espionage campaign, Kaspersky report states:

“With Flame, Gauss and miniFlame, we have probably only scratched the surface of the massive cyber-spy operations ongoing in the Middle East. Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown,”

The question that is normal to ask ourselves is:

How many of these agents are around the cyber space and for how long?

Probability, the cyberspace is currently hosting different agents similar to those identified that can operate silently .. what will be the consequence?

Pierluigi Paganini

References

http://www.securelist.com/en/blog/763/miniFlame_aka_SPE_Elvis_and_his_friends

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.