New Flame Malware Version Rises From the Veils of Obscurity
When Kaspersky Lab's researchers tore down the well-kept mask of the Flame malware kit in 2012, the actors behind it swiftly triggered the threat's built-in kill module and wiped the 80 or so associated command-and-control-servers off the face of the earth, effectively marking the untimely demise of the toolkit. Or so we thought. For AV specialists working at Chronicle Security, Alphabet's cybersecurity division, have just found a new Flame version presumably active between 2014 and 2016. Chronicle's findings show that Flame neither died in 2012 nor stopped operating for good.
Table of Contents
Searching Old Malware with New Tools
To find Flame 2.0, Chronicle's researchers Juan-Andres Guerrero-Saade and Silas Cutler took advantage of the YARA malware research tool, on the one hand, and VirusTotal's malware repository, on the other. They devised YARA rules and set parameters to scan tons of malicious code stored on VirusTotal in search for any recently submitted samples whose code is similar to that of the original Flame malware. The retrospective query paid off as it yielded one match, namely a batch of files created in early-2014, then submitted to VirusTotal in 2016. Strangely enough, no AV solution had flagged the data as potentially dangerous. That means Flame 2.0 features enhanced anti-detection mechanisms or, like its original counterpart, exploits unknown zero-day vulnerabilities, or both.
What About Flame 2.0’s Features?
Since Flame 2.0's encryption appears to be light years ahead compared to its predecessor's, the security community across the globe has yet to join forces to crack the code to pieces. Therefore, the full functionality of the new kit is anyone's guess. If the multi-modular nature of the first Flame malware kit is anything to go by, however, we can make an educated guess to see a wide variety of features including, but not limited to:
- A network traffic scanner for retrieving admin login credentials which give the intruders high-level privileges to the entire local network
- A transport vehicle module (known as Viper/Wiper in Flame 1.0, not to be confused with the Viper/Wiper malware whose sole purpose is to erase data) for moving the collected data to a C&C.
- A Bluetooth sniffer exploiting the Bluetooth function of the infected machine to steal contact numbers from other Bluetooth devices nearby .
- A screen capture module allowing the crooks to take screenshots and collect the user's instant messages and emails.
- A voice recorder (via the PC's microphone) for recording every word the PC user says.
Flame 1.0 sported all of the features mentioned above, and then some, in the form of additional plugins that could be switched on and off anytime, at the whim of the malware actors.
Flame 2.0's geographical distribution is beyond the realms of certainty for the time being, either. It could either mirror that of the original toolkit by targeting individuals, businesses, public institutions, and government agencies in the Middle East and North Africa or follow its path – a question researchers have yet to tackle.
Retrospective Search Resurrecting Defunct Threats
The retroactive approach applied in uncovering Flame 2.0 appears to have achieved yet another breakthrough. As it is, Chronicle's researchers have linked the old Stuxnet malware to Flowershop, a malicious piece developed in 2002. Flowershop shared not only similar code with Stuxnet but also used the same communication channels between the C&C server(s) and the targeted PCs. It will hardly be a surprise if future investigations find links between malware families previously thought to have nothing in common.