Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

New malicious program designed for targeted cyber espionage operations

1 October 2012 Information Security

Kaspersky Lab announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.

miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and was originally identified as a Flame module. However, in September 2012, Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command & control servers (C&C) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.

Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild. The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a plug-in for their operations.

Main findings:

* miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.

* The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.

* Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.

* Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab’s data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.

* The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

Discovery

The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware. In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed 'John' and found references to the same module in Flame’s configuration files. The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a plug-in by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original C&C servers.

Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011. At the same time, the analysis of miniFlame points to an even earlier date when development of the malware was commenced – not later than 2007. miniFlame’s ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same 'cyber warfare' factory.

Functionality

The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss. Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. Additional info-stealing capabilities include making screenshots of an infected computer while it is running a specific program or application in such as a Web browser, Microsoft Office, Adobe Reader, instant messenger service, or an FTP client. miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or shared with Flame’s C&Cs). Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an Internet connection.

Alexander Gostev, chief security expert, Kaspersky Lab, commented: “miniFlame is a high precision attack tool. Most likely it is a targeted cyber weapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programmes used for cyber warfare operations - Stuxnet, Duqu, Flame and Gauss.”

Kaspersky Lab would like to thank CERT-Bund/BSI for their kind assistance with this investigation.

Additional details about miniFlame can be found in the blog post at Securelist.com: http://www.securelist.com/en/blog/763/miniFlame_aka_SPE_Elvis_and_his_friends>

The full report on miniFlame can be found following this link: http://www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends





Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...











SMART Security Business Directory



Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.