Subscribe

Cyber espionage tool discovered

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 16 Oct 2012
Kaspersky's hypothesis is that miniFlame was distributed mainly by Flame and Gauss.
Kaspersky's hypothesis is that miniFlame was distributed mainly by Flame and Gauss.

Kaspersky Lab has discovered miniFlame, some of the most sophisticated spying software uncovered to date, and able to execute more precise attacks on Middle Eastern targets.

The malware is small and highly flexible, and is designed to steal data and control infected systems during targeted cyber espionage operations.

The tool operates as a backdoor designed for data theft and direct access to infected systems, and may have originated as far back as 2007 and continued until the end of 2011.

Its older cousin, Flame, stole data from around 5 000 computers, mostly in Iran and Sudan; miniFlame has attacked only 50 to 60 far more targeted machines.

The number of infections, combined with miniFlame's info-stealing features and flexible design, indicate it was used for extremely targeted cyber-espionage operations. Kaspersky's hypothesis is that miniFlame was distributed mainly by Flame and Gauss, which was most prevalent in Lebanon and may have been aimed at tracking financial transactions.

Not much is known about miniFlame's victims, except that they were more geographically dispersed than victims of Flame and Gauss. Infections were found in Lebanon and Iran most of all, but also in the Palestinian Territories, Iran, Kuwait and Qatar, according to Kaspersky.

Analysis of miniFlame revealed several versions of the malware, created between 2010 and 2011, with some variants still active in the wild.

Notably, it also uncovered fresh evidence of the co-operation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a plug-in for their operations.

Aleks Gostev, chief security expert at Kaspersky Lab, says the original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss.

He says, once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. "Additional info-stealing capabilities include making screenshots of an infected computer while it's running a specific program or application such as a Web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client."

Gostev says the cyber-espionage tool then uploads the stolen data by connecting to its command and control (C&C) server. Separately, at the request from miniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an Internet connection.

Kaspersky Lab acknowledged CERT-Bund/BSI for their assistance with this investigation.

Share