Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Flame Creators Triggered ‘Suicide Function’ In Attempt To Hide Its Tracks

Flame Malware Used Self Destruct "Suicide Command"

Authors Behind Flame Attempt to Cleanup – Issue Kill Command to Infected Systems

Flame Malware Used Self Destruct "Suicide Command"

Authors Behind Flame Attempt to Cleanup – Issue Kill Command to Infected Systems

It appears that the authors behind Flame attempted to cleanup, according to research coming from Symantec. The security firm noticed that one of their monitoring systems received a self-destruct command that removes the malware completely, and overwrites the disk to prevent further investigation into the infection.

Flame, Flamer, or sKyWIper, depending on who you talk to, is the name for the advanced Malware discovered in May that has been compared to Stuxnet and Duqu.

“The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers. Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products,” Symantec noted at the time.

“As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.”

While the security community has been tearing the malware apart in order to learn more about it, which has yielded some interesting discoveries (see the coverage here and here), those responsible for it still had some control.

On Wednesday, Symantec observed one of Flame’s command servers issuing new instructions to compromised systems – Urgent Suicide.

“This command was designed to completely remove Flamer from the compromised computer,” Symantec wrote

Advertisement. Scroll to continue reading.

“Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer… The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection.”

The fact that this module has remained unknown until now is expected, given that it removes all traces of infection and prevents any forensic research, Symantec added.

“The existence of this module is interesting in itself. Previously analyzed Flamer code showed us a component named SUICIDE, which is functionally similar to browse32.ocx. It is unknown why the malware authors decided not to use the SUICIDE functionality, and instead make Flamer perform explicit actions based on a new module,” Symantec’s advisory concludes.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...