Kaspersky Lab has announced the discovery of miniFlame, a small and highly flexible malicious program, which has been designed to steal data, and control infected systems during targeted cyber espionage operations.

The miniFlame, which is also known as SPE, was found by Kaspersky Lab’s experts in July 2012. It had been originally identified as a Flame module. In September 2012, when Kaspersky Lab’s research team conducted an in-depth analysis of Flame’s command and control servers (C&C), it found that the miniFlame module was in fact an 'interoperable tool' that could be used as an independent malicious program, or together as plug-in for both the Flame and Gauss malware.

The most deadly yet?

The number of miniFlame infections is small, as compared to Flame and Gauss

An analysis of the miniFlame reveals that there were several versions that were created between 2010 and 2011, and there were a few of them still active in the wild. In fact, the analysis unearthed new evidence that indicates the coming together of the creators of Flame and Gauss. Both malicious programs could be using miniFlame as a 'plug-in' for their operations.

Unlike Flame or Gauss, which caused high numbers of infections, miniFlame caused few infections. According to data from Kaspersky Lab, the number of infections is between 10 and 20 machines. The total number of infections worldwide is estimated at 50 to 60.

The number of infections combined with miniFlame’s information-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.

An official blog post by Kaspersky states that it in July this year, experts at Kaspersky Lab came across an additional module of Gauss, codenamed 'John'. Incidentally, they found references to the same module in Flame’s configuration files. Further analysis of Flame’s command and control servers conducted in September 2012 revealed that the newly discovered module was a separate from the malicious program. 

Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011. The analysis of miniFlame indicates an even earlier date, which is when the development of the malware began – not later than 2007. 

That miniFlame is capable of being used as a plug-in by either Flame or Gauss is an indicator of the collaboration between the development teams of both Flame and Gauss. “Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same “cyber warfare” factory,” stated the official blog post by Kaspersky. ”The original infection vector of miniFlame is yet to be determined.”

However, now since the collaboration between the development teams of Flame and Gauss stands confirmed, experts believe that miniFlame may be installed on those machines already infected by Flame or Gauss. Upon installation, miniFlame works as a backdoor, and allows mischief makers to lay their hands any file on an infected machine. It adds that miniFlame’s other known antics include making screenshots of an infected machine while it is running a specific program or application such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client. By connecting to its C&C server (which may be unique, or “shared” with Flame’s C&Cs), miniFlame puts up the stolen data. “Separately, at the request from miniFlame’s C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that’s collected from infected machines without an internet connection,” it goes on to reveal further. 

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented, “miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”

Tags: , , , , , , , , , , , , , , , , , ,