Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Newly Discovered “Flame” Cyber Weapon On Par With Stuxnet, Duqu

Flame” a Highly Sophisticated and Discreet Cyber Weapon Has Been Discovered Targeting the Middle East

A new cyber threat some say rivals Stuxnet and Duqu in complexity has been discovered on systems in the Middle East.

Flame” a Highly Sophisticated and Discreet Cyber Weapon Has Been Discovered Targeting the Middle East

A new cyber threat some say rivals Stuxnet and Duqu in complexity has been discovered on systems in the Middle East.

Known as Flame or Flamer, the threat is an attack toolkit that appears to be targeting systems in several countries, principally Iran and Israel (West Bank). Earlier today, Iran’s National Computer Emergency Response Team issued an alert stating the malware was tied to multiple incidents of “mass data loss” in the country’s computer networks.

The first confirmed appearance of the malware has been traced to 2010, though Symantec also said it has unconfirmed reports stretching back to 2007.

According to Kaspersky Lab, Flame is a backdoor Trojan with worm-like features that allow it to propagate itself on local networks and removable media. When a system is infected, the malware begins a series of operations that range from taking screenshots to recording audio conversations and intercepting network traffic. The malware’s operators can also upload additional modules to expand Flame’s functionality.

“Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators,” blogged Alexander Gostev, head of Kaspersky Lab’s Global Research and Analysis team. “Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”

Cyber Espionage Weapon "Flamer"

When all of its modules are installed, the malware is 20 MB in size, making it about 20 times larger than Stuxnet. It also contains code written in Lua, a programming language uncommon in the cyber underworld.

“LUA is a scripting (programming) language, which can very easily be extended and interfaced with C code,” Gostev explained. “Many parts of Flame have high order logic written in Lua – with effective attack subroutines and libraries compiled from C++…usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.”

Advertisement. Scroll to continue reading.

The modular nature of the malware suggests its developers created it with the goal of maintaining the project over a long period of time – most likely along with a different set of individuals using the malware, according to Symantec’s Security Response team.

“The architecture being employed by W32.Flamer allows the authors to change functionality and behavior within one component without having to rework or even know about the other modules being used by the malware controllers,” Symantec noted. “Changes can be introduced as upgrades to functionality, fixes, or simply to evade security products.”

“The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date,” according to Symantec. “As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives. Certain file names associated with the threat are identical to those described in an incident involving the Iranian Oil Ministry.”

According to Gostev, there does not appear to be any overarching theme in regards to targets, indicating that Flame may have been designed for more general cyber-espionage purposes. He speculated that Flame was developed separately from Duqu and Stuxnet, and noted that Flame’s developers did not use the Tilded platform used for Duqu and Stuxnet. However, he noted that Flame makes use of the same print spooler vulnerability exploited by Stuxnet. It also abuses AutoRun, just like Stuxnet.

“Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states,” Gostev noted. “Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...