Security

‘Flame’ virus offshoot burns high-profile victims

miniFlame

Researchers announced a new malware called miniFlame today that may be monitoring and stealing data from specific, highly profitable victims. It is a sister to the Flame malware that made headlines earlier this year.

The malware was found by Kaspersky Lab after it discovered and began monitoring the command and control servers of Flame. It recorded communications between Flame and the command and control servers as expected, but there was a separate, unexpected entity communicating with the same server. That turned out to be miniFlame.

MiniFlame is an extension of cyber espionage malware Flame in that it can be used as a plug in but is also capable of operating as its own entity. Kaspersky says it is a “high precision, surgical attack tool” that is likely reserved for bigger, more profitable targets. Indeed, researchers believe that Flame has infected up to 6,000 people, while miniFlame has only attacked around 60 people, or one percent of Flame’s pool.

Kaspersky Flame C2The malware is one of the four strains of viruses Kaspersky found after analyzing code from Flame’s command and control servers. There, researchers discovered communications protocols for IP, SPE, SP, and FL. “FL” was quickly identified as Flame. SPE is today’s miniFlame. Kaspersky says SP is likely an older version of SPE. IP is yet to be found and is the youngest of the four.

Flame was discovered earlier this year and was quickly labeled one of the most advanced cyber espionage tools known. It targets the Middle East and is packed with modules that all perform some sort of spying technique such as turning on the computer’s microphones to record audio and taking screen shots when certain communications apps are open such as email or Skype. Gauss was found soon thereafter targeting systems in Lebanon, specifically programmed to steal bank account login credentials and other associated data.

Gauss can also use miniFlame as a plug-in, which strengthens the idea that the Flame and Gauss malware writers were in some way connected. When Gauss uses miniFlame, however, it refers to it as “John.”

Flame is similarly connected to the Stuxnet and Duqu viruses, as it shares a separate module with the two.

MiniFlame doesn’t target specific regions, but there are several variations of miniFlame that target places like Pakistan and Iran. There have also been some cases found in France. Thus far, researchers have only found six of these variants but believe there are up to six more. Those currently under watch were created between 2010 and 2011, though the protocol for miniFlame, SPE, was created in 2007.

Unlike Flame or Gauss, the creators of miniFlame can control the computer it infects through a backdoor miniFlame sets up. Once in it listens to commands that all go by names. These include:

  • Fiona: Writes files to the machine
  • Sonia: Data stealing, sends files back to the command and control servers
  • Sam: Puts the computer to sleep for “specified amount of time”
  • Barbara: Takes a screenshot if a specific application is open

Others include Elvis, Eve, Drake, Charles, Alex, and Tiffany.

How miniFlame actually gets installed onto victims’ computers is still unknown. Researchers believe it could be deployed from the command and control server when Flame and Gauss infect the system, though it can operate without the aid of Flame and Gauss.

hat tip Wired; Candles image via Shutterstock; Flame command and control server image via Kaspersky Lab