W32.Flamer.B: Additional Module Discovered

In our joint analysis of a W32.Flamer command-and-control (C&C) server, as documented here, we described several C&C server protocols present in code on the server.  One of those protocols we knew was associated with W32.Flamer. The other remaining protocol had not previously been observed in the wild and no samples were retrieved which used those protocols.

Figure 1. Protocols present on W32.Flamer C&C server

The samples appear to have remained unobserved for so long due to their highly targeted nature, however one more of those protocols has been identified and found to be in use. That protocol is for a module that can operate independently of W32.Flamer.

We have added detection for this threat as W32.Flamer.B.

Thanks to Kaspersky Labs for making those samples available.