Flame's vicious sibling miniFlame malware, a cyber-espionage 'surgical attack tool'

A new Kaspersky Lab report revealed that a vicious cyber-espionage malware sibling was spawned from Flame. miniFlame is Flame's own evil Mini-Me which can work as a backdoor so operators can snag any file from an infected machine. It can take screenshots when specific Microsoft programs, Adobe Reader, instant messengers, FTP, or web browsers are open. It's also believed that SPE/miniFlame is in the wild.

The cyber-espionage malware Flame has a vicious little sibling called miniFlame, according to a Kaspersky Lab report released today. This small, "high-precision, surgical attack tool" can operate as a standalone, without the Flame main modules, or as a component controlled by Flame or the espionage program Gauss. miniFlame is the first solid link that proves Flame and Gauss came from the same "cyberweapon factory." Six different modifications of SPE, meaning miniFlame, have been identified so far, but Kaspersky researchers "believe that the developers of miniFlame created dozens of different modifications of the program."

Kaspersky wrote, "If Flame and Gauss were massive spy operations, infecting thousands of users, SPE/miniFlame is a high-precision espionage tool. The numbers of its victims is comparable to Duqu."

We can assume this malware was part of the Flame and Gauss operations which took place in multiple waves. First wave: infect as many potentially interesting victims as possible. Secondly, data is collected from the victims, allowing the attackers to profile them and find the most interesting targets. Finally, for these "select" targets, a specialized spy tool such as SPE/miniFlame is deployed to conduct surveillance/monitoring.

Last month, Kaspersky experts said Flame had at least three more brothers: SP, SPE and IP. The report released today said SPE/miniFlame can use "its own C&C servers or common servers with Flame." Regarding extremely targeted cyber-espionage maneuvers, miniFlame can work as a backdoor so operators can snag any file from an infected machine. It gives direct access to infected machines so operators can take screenshots when specific Microsoft programs, Adobe Reader, instant messengers, FTP, or web browsers are open. It's also believed that SPE/miniFlame is in the wild.

Here is a list of the available commands Kaspersky experts have identified:

The handler routine for the "BARBARA" command can be run in a different mode and can produce screenshots only if the foreground window belongs to one of the processes from the hardcoded list; however, this functionality is disabled.

The majority listed for BARBARA were Windows processes for Microsoft programs such as:

Internet Explorer browser, MS Outlook, MS Outlook Express, MS Word, MS Excel, MSN Messenger, two different MSN Messenger extensions, Microsoft Developers Studio, Windows Explorer, MS FrontPage editor, Windows Telnet client, Windows FTP client, Windows Notepad, Microsoft Office Project, Microsoft PowerPoint, MS Visio, Microsoft Remote Desktop connection, Microsoft Management Console, Microsoft Office OneNote, Microsoft Office OneNote Quick Launcher and an IIS component. The entire list can be found on the detailed technical report.

"The stolen data is encrypted on the server in such a way that only the attackers can read it, through strong public key cryptography," Kaspersky reported. "These features are not normally found in malware created by everyday cyber-criminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack."

The number of known machines infected by miniFlame worldwide is much lower so far. The development of this malicious program may have started in 2007, but some versions of miniFlame were created in 2010 and 2011. In fact, some of the six variants are still considered active. Unlike Flame, which was mostly seen in Iran and Sudan, and unlike Gauss which was mostly seen in Lebanon, miniFlame malware variant infections have been seen in Lebanon, Palestine, Iran, Saudi Arabia, Qatar and Kuwait.

The researchers were "able to trace the IPs in the United States to VPN connections." While France is not exactly going down in flames, Kaspersky reported there are infections and that the "IPs in France are the most curious ones -- some do appear to be proxies or VPNs, but others are not so obvious." For example, "one of the IPs of victims in France belongs to Francois Rabelais University of Tours."

Kaspersky Lab revealed, "With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East. Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown."

Image credits: Kaspersky Labs

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

What is security's role in digital transformation?