• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Kaspersky Lab Discovers "miniFlame," a New Virus Designed for Cyber Espionage

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
46,276 (7.69/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Today Kaspersky Lab announced the discovery of miniFlame, a small and highly flexible malicious program designed to steal data and control infected systems during targeted cyber espionage operations.

miniFlame, also known as SPE, was found by Kaspersky Lab's experts in July 2012, and was originally identified as a Flame module. However, in September 2012, Kaspersky Lab's research team conducted an in-depth analysis of Flame's command & control servers (C&C) and from the analysis found that the miniFlame module was actually an interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware.

Analysis of miniFlame showed there were several versions created between 2010 and 2011, with some variants still being active in the wild. The analysis also revealed new evidence of the cooperation between the creators of Flame and Gauss, as both malicious programs can use miniFlame as a "plug-in" for their operations.

Main Findings:
  • miniFlame, also known as SPE, is based on the same architectural platform as Flame. It can function as its own independent cyber espionage program or as a component inside both Flame and Gauss.
  • The cyber espionage tool operates as a backdoor designed for data theft and direct access to infected systems.
  • Development of miniFlame might have started as early as 2007 and continued until the end of 2011. Many variations are presumed to be created. To date, Kaspersky Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
  • Unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller. According to Kaspersky Lab's data, the number of infections is between 10-20 machines. The total number of infections worldwide is estimated at 50-60.
  • The number of infections combined with miniFlame's info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.
Discovery
The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware. In July 2012 Kaspersky Lab's experts identified an additional module of Gauss, codenamed "John" and found references to the same module in Flame's configuration files. The subsequent analysis of Flame's command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a "plug-in" by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame's original C&C servers.

Kaspersky Lab discovered six different variations of miniFlame, all dating back to 2010-2011. At the same time, the analysis of miniFlame points to even earlier date when development of the malware was commenced - not later than 2007. miniFlame's ability to be used as a plug-in by either Flame or Gauss clearly connects the collaboration between the development teams of both Flame and Gauss. Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same "cyber warfare" factory.

Functionality
The original infection vector of miniFlame is yet to be determined. Given the confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on machines already infected by Flame or Gauss. Once installed, miniFlame operates as a backdoor and enables the malware operators to obtain any file from an infected machine. Additional info-stealing capabilities include making screenshots of an infected computer while it's running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service, or an FTP client. miniFlame uploads the stolen data by connecting to its C&C server (which may be unique, or "shared" with Flame's C&Cs). Separately, at the request from miniFlame's C&C operator, an additional data-stealing module can be sent to an infected system, which infects USB drives and uses them to store data that's collected from infected machines without an internet connection.

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: "miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."

Kaspersky Lab would like to thank CERT-Bund/BSI for their kind assistance with this investigation. The full report on miniFlame can be found here.

View at TechPowerUp Main Site
 
Joined
May 14, 2012
Messages
891 (0.21/day)
Location
US
Processor AMD Ryzen 5 1600X
Motherboard AsRock X370 Taichi
Cooling Corsair H60 Liquid Cooling
Memory 16 GB CORSAIR Vengeance LPX 3000 Mhz (Running at 2933)
Video Card(s) EVGA FTW2 GTX 1070Ti
Storage 740GB of SSDs, 7 TB's of HDDs
Display(s) LG 27UD58P-B 27” IPS 4K
Case Phanteks Enthos Pro M
Audio Device(s) Integrated
Power Supply EVGA 750 P2
Mouse Mionix Naos 8200
Keyboard G Skill Ripjaws RGB Mechanical Keyboard
Software Windows 10 Pro
May be development since 2007? That's not good at all....
 
Joined
Mar 15, 2008
Messages
1,110 (0.19/day)
Well, I've always wondered where computer viruses really came from. Kaspersky Lab was always the number one suspect for me. BUT now, seeing that these claims of theirs remain uncontested by anyone, I begin to change my mind about this...
 
Joined
Oct 2, 2004
Messages
13,791 (1.94/day)
I don't get it why are ppl always so surprised on such discoveries. These are the tools for highly targeted attacks.

Imagine comparing a full on army of 200.000 soldiers attacking some country or a team of 5 highly skilled spec ops doing destruction behind enemy lines. It's obvious that you'd notice the 200.000 men army faster than you'd detect a 5 member team. If ever... It's the same here. If it's such targeted specific tool like derivates of Flame, it's nothing unusual to discover them with such big delay. If you even discover them at all.

This discovery was probably made by "mistake" and the file got caught by honeypots at some point.
 
Joined
Dec 5, 2006
Messages
7,704 (1.22/day)
System Name Back to Blue
Processor i9 14900k
Motherboard Asrock Z790 Nova
Cooling Corsair H150i Elite
Memory 64GB Corsair Dominator DDR5-6400 @ 6600
Video Card(s) EVGA RTX 3090 Ultra FTW3
Storage 4TB WD 850x NVME, 4TB WD Black, 10TB Seagate Barracuda Pro
Display(s) 1x Samsung Odyssey G7 Neo and 1x Dell u2518d
Case Lian Li o11 DXL w/custom vented front panel
Audio Device(s) Focusrite Saffire PRO 14 -> DBX DriveRack PA+ -> Mackie MR8 and MR10 / Senn PX38X -> SB AE-5 Plus
Power Supply Corsair RM1000i
Mouse Logitech G502x
Keyboard Corsair K95 Platinum
Software Windows 11 x64 Pro
Benchmark Scores 31k multicore Cinebench - CPU limited 125w
I don't get it why are ppl always so surprised on such discoveries. These are the tools for highly targeted attacks.

Imagine comparing a full on army of 200.000 soldiers attacking some country or a team of 5 highly skilled spec ops doing destruction behind enemy lines. It's obvious that you'd notice the 200.000 men army faster than you'd detect a 5 member team. If ever... It's the same here. If it's such targeted specific tool like derivates of Flame, it's nothing unusual to discover them with such big delay. If you even discover them at all.

This discovery was probably made by "mistake" and the file got caught by honeypots at some point.

Exactly.
 
Top