miniFlame: the Flame trojan's little brother
Kaspersky Lab has detailed a small, highly-specialised trojan that has been identified as belonging to the Flame spyware worm family. The trojan, which has been dubbed "miniFlame", was discovered during the investigations into Flame, Gauss and Duqu in early July 2012.
Kaspersky Lab said that the discovered malware was initially believed to be an early version of Flame, but, following a detailed analysis of the protocols involved, this assumption turned out to be wrong. miniFlame is a separate spyware trojan and was apparently created in the same trojan lab which built Flame and Gauss. The researchers believe that it was developed in parallel with these trojans in 2010 and 2011.
Kaspersky's analysis concludes that miniFlame plays a special role within the Flame family. While it is functional as a stand-alone trojan, it can also be used as a plugin for Flame and Gauss. This means that Flame and Gauss can load miniFlame, for example, in order to obtain direct access to the infected computer.
A list of commands that can be sent to miniFlame from the command & control servers
An attack involving Flame, Gauss and miniFlame probably plays out like this: first, Flame and Gauss are used to infect as many targets as possible. Then, the attackers harvest their victims' data and use this data to identify targets that could be particularly worthwhile. As the last step, the chosen victims can then be spied on by the miniFlame trojan on a continuing basis.
The specialised nature of miniFlame is reflected in the statistics the researchers collected: Kaspersky has registered Flame and Gauss on about 10,000 systems in the Middle East, while miniFlame has only been found on "a few dozen systems in Western Asia". This confirms Kaspersky's suspicion that miniFlame is being used as a "high precision espionage tool".
However, the company's analysis is not yet complete. The experts believe that further trojan variants exist because the command & control servers "speak" three different protocols. One communicates with Flame and the second with miniFlame, but the communication partner of the third one hasn't been identified yet. Kaspersky is currently using the name "IP" for this "Higgs trojan". It has been attributed to the same trojan lab that also created Flame, Gauss and miniFlame.
Kaspersky says that the new findings around Flame, Gauss and miniFlame have "probably only scratched the surface" of the massive cyber-spy operation that seems to be ongoing in the Middle East. The analysis was carried out on behalf of the International Telecommunication Union (ITU). The German Federal Office for Information Security (BSI) was also involved in the investigation; however, the BSI refused to comment when asked about the precise nature of its involvement by The H's associates at heise Security.
See also:
- Kaspersky Lab Discovers "miniFlame," a New Malicious Program Designed for Highly Targeted Cyber Espionage Operations, press release from Kaspersky Lab.
(fab)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
