Kaspersky is reporting on a newly uncovered piece of malware that has been dubbed “miniFlame” – a fully functional independent malware module with some interesting ties to previous pieces of state-sponsored malware. As the name suggests it has been tied to the infamous Flame malware and also the Gauss malware. Through the course of an ongoing investigation, the pieces and connections between the malware have been linked to paint a pretty amazing picture of sophistication, specialization, and designed targeting. Through it all, the persistent question of authorship makes for a fascinating undertone as US intelligence agencies are generally believed to be responsible for these weapons.
This lineup of malware has targeted computer systems based in the Middle East, infecting foreign entities that the US has much interest in. The latest discovery, miniFlame is a cyber-espionage malware tool that is designed to access select data on target systems. The list of associated commands that are executable through Command-and-Control (C&C) servers once the malware takes root and establishes a backdoor includes a number of commands, one of which is named “ELVIS”.
miniFlame is also significant in that it ties two previously discovered pieces of malware together. You see while the miniFlame malware can infect and act as designed completely on its own, it also can be controlled by Flame and can also be used in conjunction with Gauss. These connections between these tools show that these three cyber-espionage projects came from the same cyber-weapon factory.
“We believe that the developers of miniFlame created dozens of different modifications of the program. At this time, we have “only” found six of these, dated 2010-2011.”
“With Flame, Gauss and miniFlame, we have only just scratched surface of the massive cyber-espionage operations ongoing in the Middle East. Their full purpose remains obscure and the identity of the victims and the attackers remains unknown.”
When Flame was discovered back in May 2012, it was remarkable in that it had been able to install by posing as a Windows update, but also by what it was designed to unleash on the infected system. Infected systems turned into ultimate spy devices, recording video, audio, capturing screenshots, detecting and giving network information, recording email, browsing history, instant messages and mass file copies – all in secret and undetected. Once it was done storing the information it would upload the information to C&C servers and then delete itself.
Gauss was discovered in June 2012. The Trojan was designed to intercept sensitive data, and focused on stealing passwords, cookies, online banking account information, and machine configurations. The Gauss C&C infrastructure was reportedly shut down in July, leaving countless unknown infected systems standing by for commands. The distinguishing feature of Gauss was the interception of bank information, involving institutions such as Bank of Beirut, Citibank, EBLF, FransaBank, Paypal, and others.
miniFlame – surgical attack tool
miniFlame is more like the Flame tool, but made for precision. The harvest of information apparently goes after certain target files, as opposed to the everything approach in the original Flame and has the option to send its loot to an attached USB drive on non-networked systems. Forensic analysis of C&C servers seized by European police turned up code that indicated that they were listening for four pieces of malware, Flame and miniFlame make up two of those.
The analysis of the Flame’s C&C modules show that the code can understand several communication protocols to talk to different “clients” or malware:
- RedProtocol (mentioned but not implemented)
A close look at these protocol handlers revealed four different types of clients: SP, SPE, FL and IP.
This is where the SPE comes from. Another significant difference between miniFlame/SPE malware and Flame/Gauss is that the number of infections is significantly smaller and has a very specific target base. The latter infected an estimated minimum of 10,000 systems. miniFlame has only been found in a few dozen systems localized in Western Asia.
“we are inclined to believe that the choice of countries depends on the SPE variant. For example, the modification known as “4.50” is mostly found in Lebanon and Palestine. The other variants were found in other countries, such as Iran, Saudi Arabia and Qatar.”
The Kaspersky report is very detailed. The big picture shows that cyber-intelligence operations continue in an effort to gain information and most famously in the case of Stuxnet, actual disabling of Iranian nuclear centrifuges. As Kaspersky continues their investigations the statement that they have only scratched the surface lends itself to the notion of a vast effort that indicates that cyber-warfare is secretly going on and is in full-swing.