Kaspersky Lab has discovered a cut-down version of the infamous Flame cyber-espionage weapon.
MiniFlame, like its big brother, is also an information-slurper well suited to cyber-spying. The malware, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and originally labelled as a Flame module.
All these advanced threats come from the same “cyber warfare” factory, the Russian anti-virus firm concludes.
At least six versions of miniFlame were created between 2010 and 2011, with some variants still being active in the wild. Development of the malware may have started as early as 2007.
Mini Flame operates as a backdoor designed for data theft and direct access to infected systems. The number of infections related to mini Flame is much smaller than the volume attributable to either Flame or Gausss. Kaspersky Lab estimates mimiFlame racked up just 50 to 60 infections worldwide.
The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss,” .
The original infection vector of miniFlame is yet to be determined. Once installed, miniFlame creates a backdoor that allows any file to be extracted from a compromised machine. The malware is also capable of making screenshots on infected PCs.
miniFlame uploads stolen data to its C&C server (which may be unique, or ‘shared’ with Flame’s C&Cs). Commands to control servers allow miniFlame to gain access to a module which “infects USB drives and uses them to store data that’s collected from infected machines without an internet connection”.
miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyber attack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss.”