Newly discovered spying malware designed to steal data from infected systems was likely built from the same cyber-weaponry factory that produced two other notorious cyberespionage software Flame and Gauss, a security vendor says.
Kaspersky Lab released a technical paper Monday outlining the discovery of the malware the vendor has dubbed “miniFlame.”
While capable of working with Flame and Gauss, miniFlame is a “small, fully functional espionage module designed for data theft and direct access to infected systems,” Kaspersky said.
Kaspersky reported the existence of Flame in May and a month later discovered Gauss. A nation-state is believed to have developed both highly sophisticated malware for cyberespionage and cybersabotage operations in the Middle East.
MiniFlame was discovered during an analysis of the Flame command and control servers, a study initiated by the International Telecommunication Union and conducted by Kaspersky. While capable of operating by itself, miniFlame was downloaded in computers already infected with Flame and Gauss.
“The discovery of miniFlame, which works with both these espionage projects, proves that we were right when we concluded that they had come out of the same cyber-weapon factory,” Kaspersky said in its security blog.
Flame and Gauss are believed to have infected no less than 10,000 systems, while miniFlame was detected in just a few dozen systems in western Asia. Because of the low number of infections, Kaspersky said miniFlame was a “high precision, surgical attack tool” used only against very specific targets that were deemed most important by the attackers.
Flame and Gauss used a similar modular structure, code base and communication system to receive instructions from command and control servers. However, the malware were parallel projects that used separate servers.
Kaspersky has uncovered technical evidence that Flame and Gauss are related to Stuxnet and Duqu, two other cyberespionage software that targeted Middle Eastern states, particularly Iran and Palestine. The New York Times reported that the U.S. and Israeli governments created Stuxnet as part of a secret operation with the goal of crippling Iran’s nuclear program.
MiniFlame has existed at least since 2007 with development continuing into this year, Kaspersky said. Dozens of different modifications of the malware were likely developed, although Kaspersky has found only a half dozen dated 2010 to 2011. Those variants were developed in parallel to Flame and Gauss.
MiniFlame variants were found in Lebanon, Palestine, Iran, Kuwait and Quatar. By comparison, the majority of Flame infections were in Iran and Sudan, and Gauss in Lebanon. MiniFlame was unique in that it operated as a plugin for both of its cousins.
The main purpose of miniFlame was to steal data and act as a backdoor on infected systems that allowed direct control by the attackers. Kaspersky believes the attackers used Flame and Gauss to determine which compromised systems were the most valuable in terms of information and then deployed miniFlame in those systems for surveillance and monitoring.
“With Flame, Gauss and miniFlame, we have probably only scratched the surface of the massive cyber-spy operations ongoing in the Middle East,” Kaspersky said. “Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown.”
The Computer Emergency Response Team (CERT) in Germany assisted Kaspersky in the investigation.