Flame Malware – I’m Back
Stuxnet, Flame Malware Making a Comeback
Cristal M Clark
Flame malware, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware that attacked computers running the Microsoft Windows operating system. The program was used for targeted cyber espionage in Middle Eastern countries. It was once what researchers referred to as a sophisticated little gem of malware, created as nation-state spy tools, once outed by Kaspersky Labs, it was quickly and quietly shuttered and forgotten about, until now.
It is believed to have been created by Israel, Flame was the first modular spy platform discovered in the wild, it came with multiple plug-ins that could be swapped out according to whatever tools were needed for each victim.
It had a lot of capability that was unique at the time it was discovered, and also used a highly sophisticated technique for spreading.
The attackers tricked Microsoft into issuing them a legitimate Microsoft certificate, which they then used to sign their malicious files. Then they subverted the trusted Windows Update mechanism, through which Microsoft distributes patches and software upgrades to customers, to deliver those malicious files to targeted victims instead, doing so in a way that made it look like they came from Microsoft’s server.
The attackers also managed a fleet of 80 command-and-control domains to communicate with infected machines then they faked Flame’s death back in May 2012, pushing out a kill module to infected machines and closing shop on the command-and-control servers.
Most researchers thought that the creators in a panic just shut things down but are not realizing that it may never have been truly shut down, just ehhh more or less running in the background unbeknownst to virtually everyone in the security world.
The original Flame attacked systems in Iran as well as other parts of the Middle East it would do things such as turn on the internal microphone of an infected machine to record conversations the user conducted near the computer or over Skype or, using the infected computer’s Bluetooth functionality, scan for other Bluetooth-enabled devices in the vicinity, such as a mobile phone, and siphon the contacts folder from it.
Great little piece of spyware honestly.
The attackers appear to have re-tooled their little spy kit and added strong encryption to make it harder to detect and reverse engineer according to researchers at Alphabet’s Chronicle Security labs who discovered that a new version of Flame appeared in 2014 (the original was back in 2012), and likely remained active until 2016 and beyond, giving them just enough time to steal and deploy whatever they would like.
Juan-Andres Guerrero-Saade, one of the Chronicle security researchers who made the discovery; “Nobody ever expected to see Flame again. We figured it was too old and expensive for the attackers to waste time retooling rather than just build a whole new platform.”
Juan-Andres did not just stop with that either, he went on to explain that he and his team also found evidence that Stuxnet, you know the virus/worm created by the US and Israel to sabotage Iran’s nuclear program in 2007, but ended up infecting virtually every PC in the US as well as globaly, has connections to another malware family known as Flowershop.
Oh Flowershop, Flowershop was operating as early as 2002, several years before Stuxnet was developed, and it appears that some of Flowershop’s code made it into a Stuxnet component, which if true means that a fourth team or group of individuals were part of America’s first Cyberwar campaign, the development of Stuxnet. What’s more is that researchers have in fact, previously found connections between Stuxnet and Flame and between Stuxnet and two other malware families known as Duqu and the Equation Group, the latter a group of tools attributed to the NSA.
The new discovery has baffled researchers who still do not have a full understanding into the full capabilities of Stuxnet and Flame, so it’s anyone’s guess as to what the creators of Flame might be up to these days, one thing is for certain, they do not plan on stopping anytime soon.
Cristal M Clark