Security researchers investigating the Flame malware toolkit have uncovered a new malware component designed to be used for extremely targeted attacks.
Enterprises need to get ahead of the problem instead of being in the reactive mode.
Avivah Litan, vice president, Gartner Inc.
The newly discovered SPE malware, or miniFlame, connects Flame to another attack toolkit believed to be used in nation state-sponsored cyberespionage called Gauss. Researchers at Russia-based Kaspersky Lab said the link is due to its ability to work with both toolkits.
The connection is not the first Kaspersky researchers have uncovered between Flame and other malware. The security vendor discovered in June that Flame had shared source code with Stuxnet.
"The SPE/miniFlame malware is unique in a sense that it can work either as a stand-alone program, as a Flame plugin or as a Gauss plugin. Essentially, it is a link connecting the Flame and Gauss projects tighter, while remaining independent of them," according to the technical paper about miniFlame, published by Kaspersky this week.
While the threat of being targeted by advanced malware such as Flame or Stuxnet is extremely low, experts say protection against targeted attacks is necessary. Avivah Litan, vice president of Gartner Inc. in Stamford, Conn. said the success of attacks like Flame and Stuxnet will lead to more strikes of a similar nature. Firms in the financial industry or organizations with sensitive intellectual property such as government contractors, critical infrastructure owners and operators and manufacturers and suppliers connected to high value targets are at the greatest risk. Thus far, Litan said attacks coming out of the Middle East have been focused on disruption and espionage activities, but she believes financial gain will be a growing motivator. Financially motivated cybercriminals can copy the techniques used by advanced malware, making it a more widespread problem.
Flame and Stuxnet highlight the need for enterprises to further develop a layered security program and proactively maintain one. Companies should take these attacks very seriously, but also stop letting the cybercriminals lead the way, she said.
"Enterprises need to get ahead of the problem instead of being in the reactive mode," Litan said.
MiniFlame used in isolated attacks
The scope of miniFlame is much smaller, as the name suggests. Gauss, detected by Kaspersky targeting thousands of individuals in the Middle East, steals passwords, banking credentials, browser cookies and configuration data of infected machines. While the total number of Flame and Gauss victims is believed to be more than 10,000 systems, miniFlame has been identified in 50-60 systems in Western Asia.
"[MiniFlame] is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool," according to the paper.
MiniFlame also differs from Flame and Gauss in its targets. The espionage malware is not focused in one or two countries; rather, targets are based on the variant of malware. Countries with recorded incidents include Lebanon, Palestine, Iran, Kuwait and Qatar. In many cases, researchers believe those infected with miniFlame may have already been attacked by Flame or Gauss.
Multiple wave attack
Kaspersky researchers believe miniFlame has been active for as long as Flame, which was traced back to 2007. The connection between Flame, Gauss, and miniFlame has led security researches to believe that each version was part of a multiple wave attack.
“First wave: infect as many potentially interesting victims as possible. Secondly, data is collected from the victims, allowing the attackers to profile them and find the most interesting targets. Finally, for these "select" targets, a specialized spy tool such as SPE/miniFlame is deployed to conduct surveillance/monitoring,” according to the paper.
While the specialization of Flame and miniFlame leaves a small percentage of enterprises as targets, there are steps companies can take to make sure they are protected. Nick Lewis, an information security architect at Saint Louis University, recommends businesses practice whitelisting and watch for suspicious network traffic. These steps may be useful in preventing future attacks that use similar methods to Flame.
There are still many questions surrounding this malware trio, including what the purpose of the attacks was and who the attackers and victims were.
“With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East,” the paper read.