Kaspersky discovers ‘miniFlame,’ designed for highly targeted cyber-espionage

• Analysis shows several versions created between 2010 and 2011; some variants still active in the wild

• miniFlame is a high precision attack tool, says Kaspersky Lab’s chief security expert

SECURITY specialist Kaspersky Lab has announced the discovery of miniFlame, which it described as a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber-espionage operations.

miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module. However, in September, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command & control servers (C&C) and found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.

Analysis of miniFlame (click diagram to enlarge) showed there were several versions created between 2010 and 2011, with some variants still being active in the wild, the company said in a statement.

The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a “plug-in” for their operations.

“miniFlame is a high precision attack tool,” said Alexander Gostev, chief security expert at Kaspersky Lab.

“Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyber-attack. First, Flame or Gauss is used to infect as many victims as possible to collect large quantities of information.

“After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.

“The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss,” he added.

Main findings:

• miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
• The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
• Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
• Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
• The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

Kaspersky Lab said it discovered six different variations of miniFlame, all dating back to 2010-2011. At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced – not later than 2007.

miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory.

The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss. Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine.

Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client.

miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or “shared” with Flame’s C&Cs). Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.

Kaspersky Lab said it would like to thank CERT-Bund/BSI for its assistance with this investigation.

Additional details about miniFlame can be found in the blog post at Securelist.com:http://www.securelist.com/en/blog/763/miniFlame_aka_SPE_Elvis_and_his_friends

The full report on miniFlame can be found following this link:http://www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends

Related Stories:

Mikko’s world: Governments, factories and washing machines

Stuxnet, Flame and the new world disorder

Online banking accounts in Middle East targeted by ‘Gauss’

Security alert over ‘Madi’ cyber-espionage campaign in Middle East