Kaspersky discovers miniFlame cyberespionage malware directly linked to Flame and Gauss
MiniFlame serves as a backdoor that gives attackers direct access to infected computers
IDG News Service - Security researchers from Kaspersky Lab have identified another piece of malware targeting the Middle East that is likely part of the interrelated cyberespionage efforts behind Stuxnet, Duqu, Flame and Gauss.
The malware was dubbed miniFlame because its code suggests that it was built on the same platform as the highly sophisticated Flame threat discovered in May. However, the functionality of miniFlame -- called SPE by its authors -- is different.
"Flame and Gauss are mostly about data and information stealing," Roel Schouwenberg, a senior researcher at Kaspersky Lab, said Monday via email. "MiniFlame serves as a backdoor which gives the operator direct access to an infected machine. So yes, the functionality and intent is different."
"If Flame and Gauss were massive spy operations, infecting thousands of users, SPE/miniFlame is a high precision espionage tool," the Kaspersky researchers said in a blog post that details their findings.
MiniFlame can function independently on a computer, but also as a Flame or, more surprisingly, as a Gauss module. Kaspersky researchers had previously established a relationship between Flame and Gauss based on code similarities, but miniFlame's ability to function as a module for both threats represents the most conclusive proof that they are related.
"We can assume this malware was part of the Flame and Gauss operations which took place in multiple waves," the Kaspersky researchers said. "First wave: infect as many potentially interesting victims as possible. Secondly, data is collected from the victims, allowing the attackers to profile them and find the most interesting targets. Finally, for these 'select' targets, a specialized spy tool such as SPE/miniFlame is deployed to conduct surveillance/monitoring."
The method used to infect computers with miniFlame has not been established yet, but the researchers believe that the malware might be downloaded and installed by Flame or Gauss. This is because most of the miniFlame-infected computers have also been infected with Flame or Gauss in the past.
"It is also possible that SPE is part of some sort of main Flame dropper (as yet undiscovered), or is in fact the unknown encrypted payload which was distributed by Gauss on USB disks," the Kaspersky researchers said.
"The Flame self-destruction plug-in does not delete any SPE files," Schouwenberg said. "It has to be removed separately. We need to view miniFlame as a separate operation to the others, so it makes sense. We can assume the authors hoped SPE would go unnoticed after Flame's (and Gauss') discovery."
MiniFlame is capable of downloading files from a command and control (C&C) server, uploading a file from the machine to the server, loading a specified DLL file, creating a process with given parameters or taking screen shots of the active window if it belongs to a program from a list.
- DOJ's charges against China reframe security, surveillance debate
- Hacker indictments against China's military unlikely to change anything
- U.S. to formally accuse Chinese military of hacking
- Cyberattacks could paralyze U.S., former defense chief warns
- The NSA blame game: Singling out RSA diverts attention from others
- Jury still out on FISA court
- Suspected China-based hackers 'Comment Crew' rises again
- Chinese hackers master the art of lying in wait
- Spy court OK'd all U.S. wiretap requests it received in 2012
- Groups denounce FBI plan to require Internet backdoors for wiretaps
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!