Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Flame Analysis Uncovers Unknown Malware, Traces Espionage Tool Back to 2006

Flame Cyber Espionage Tool

The ongoing investigation into the Flame malware has traced the development of the Flame platform back in 2006.

Flame Cyber Espionage Tool

The ongoing investigation into the Flame malware has traced the development of the Flame platform back in 2006.

According to research by Kaspersky Lab, Symantec, CERT-Bund/BSI and the International Telecommunication Union’s Impact Alliance, the development of Flame’s command and control (C&C) platform began as early as December 2006. This is much earlier than researchers initially thought; the first reports placed Flame’s development in 2010. Later, it was discovered that some domains used by Flame were registered in 2008. An analysis of the malware’s C&C servers however revealed that developers had left internal timestamps and their nicknames in scripts.

“From this, we can conclude that the first C&C files were created on 03 December 2006, which means that the Flame platform is much older than we originally estimated,” according to Kaspersky Lab. “There were four people responsible for this C&C development. It is obvious to us that one of them…was more experienced than the others. He coded some very smart patches and implemented complex logics; in addition, he seems to be a master of encryption algorithms.”

The analysis also revealed unidentified pieces of malware that were being managed by the servers as well.

“Command-and-control happens through a Web application called Newsforyou,” according to Symantec’s Security Response team. “The application processes the W32.Flamer client interactions and provides a simple control panel. The control panel allows the attackers to upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data. This application does not appear to be exclusively used by Flamer. It contains functionality that allows it to communicate with computers compromised with multiple malware identifiers using different protocols.”

Several threats supported by this framework are still unknown, Symantec said, speculating that they are most likely unknown variants of Flame or totally distinct malware. There is no sign the Flame servers were used to control Stuxnet or Gauss.

“The servers were set up to record minimal amounts of information in case of discovery,” according to Symantec. “The systems were configured to disable any unnecessary logging events and entries in the database were deleted at regular intervals. Existing log files were securely deleted from the server on a regular basis. These steps were taken in order to hamper any investigation should the server be acquired by third parties.”

Flame, which has been called a cyber-espionage tool by researchers, was discovered in May during an investigation initiated by the International Communciation Union. Since then, reports have surfaced linking it to the infamous Stuxnet malware uncovered in 2010.

Advertisement. Scroll to continue reading.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers,” Alexander Gostve, chief security expert at Kaspersky Lab, said in a statement. “Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...