"Flame" a Highly Sophisticated and Discreet Cyber Weapon Has Been Discovered Targeting the Middle East
A new cyber threat some say rivals Stuxnet and Duqu in complexity has been discovered on systems in the Middle East.
Known as Flame or Flamer, the threat is an attack toolkit that appears to be targeting systems in several countries, principally Iran and Israel (West Bank). Earlier today, Iran’s National Computer Emergency Response Team issued an alert stating the malware was tied to multiple incidents of “mass data loss” in the country’s computer networks.
The first confirmed appearance of the malware has been traced to 2010, though Symantec also said it has unconfirmed reports stretching back to 2007.
According to Kaspersky Lab, Flame is a backdoor Trojan with worm-like features that allow it to propagate itself on local networks and removable media. When a system is infected, the malware begins a series of operations that range from taking screenshots to recording audio conversations and intercepting network traffic. The malware's operators can also upload additional modules to expand Flame's functionality.
"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators," blogged Alexander Gostev, head of Kaspersky Lab's Global Research and Analysis team. "Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."
When all of its modules are installed, the malware is 20 MB in size, making it about 20 times larger than Stuxnet. It also contains code written in Lua, a programming language uncommon in the cyber underworld.
"LUA is a scripting (programming) language, which can very easily be extended and interfaced with C code," Gostev explained. "Many parts of Flame have high order logic written in Lua - with effective attack subroutines and libraries compiled from C++…usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame."
The modular nature of the malware suggests its developers created it with the goal of maintaining the project over a long period of time – most likely along with a different set of individuals using the malware, according to Symantec's Security Response team.
"The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers," Symantec noted. "Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products."
"The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date," according to Symantec. "As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry."
According to Gostev, there does not appear to be any overarching theme in regards to targets, indicating that Flame may have been designed for more general cyber-espionage purposes. He speculated that Flame was developed separately from Duqu and Stuxnet, and noted that Flame's developers did not use the Tilded platform used for Duqu and Stuxnet. However, he noted that Flame makes use of the same print spooler vulnerability exploited by Stuxnet. It also abuses AutoRun, just like Stuxnet.
"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states," Gostev noted. "Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it."