State-Sponsored Malware ‘Flame’ Has Smaller, More Devious Cousin

Graph showing the geographical location of machines infected with miniFlame. Courtesy of Kaspersky Lab

Researchers have uncovered new nation-state espionage malware that has ties to two previous espionage tools known as Flame and Gauss, and that appears to be a “high-precision, surgical attack tool” targeting victims in Lebanon, Iran and elsewhere.

Researchers at Kaspersky Lab, who discovered the malware, are calling the new malware miniFlame, although the attackers who designed it called it by two other names – “SPE” and “John.” MiniFlame seems to be used to gain control of and obtain increased spying capability over select computers originally infected by the Flame and Gauss spyware.

It is the fourth piece of nation-state malware discovered in the last year that appears to have been created by the same group behind Stuxnet, the groundbreaking cyberweapon that sabotaged Iran’s nuclear program and is believed to have been created by the U.S. and Israeli governments. The others – all designed for espionage rather than destruction – are DuQu, Flame, and Gauss.

The new malware adds to the arsenal of cyber tools that are quickly becoming the mark of nation-state intelligence gathering and warfare methods and provides new clues into how such operations are conducted.

“With Flame, Gauss and miniFlame, we have probably only scratched [the] surface of the massive cyber-spy operations ongoing in the Middle East,” the Kaspersky researchers write in a report released Monday. “Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown.”

The revelation comes as the U.S. continues to beat the drum against China for its involvement in nation-state cyberespionage, including that country’s alleged hacks against Google to obtain intelligence about political dissidents and against defense contractors to obtain military secrets.

The miniFlame/SPE malware is actually a module that can be used on its own as a small, standalone espionage tool, or it can be plugged into the much larger Flame espionage tool, or into Gauss.

Until now, Flame and Gauss were believed to be independent nation-state projects that had no connection; but the discovery of miniFlame is the first solid clue that the two projects came out of the same “cyberweapon factory” and were part of the same larger operation, the researchers say.

The module is designed to steal data and open a backdoor into infected machines to give attackers direct and complete remote control over the machines. Once the backdoor is in place, the attackers can send commands to the machines – to steal data or take screenshots, for example – or download other malicious files to the machines.

“Neither Flame nor Gauss allow [the attackers] to directly control the infected system,” says Roel Schouwenberg, senior researcher at Kaspersky Lab. “They’re not designed to allow direct interaction between the attackers and the victim [the way miniFlame does].”