State-Sponsored Malware ‘Flame’ Has Smaller, More Devious Cousin

Researchers have uncovered new nation-state espionage malware that has ties to two previous espionage tools known as Flame and Gauss, and that appears to be a “high-precision, surgical attack tool” targeting victims in Lebanon, Iran and elsewhere.

Researchers at Kaspersky Lab, who discovered the malware, are calling the new malware miniFlame, although the attackers who designed it called it by two other names – “SPE” and “John.” MiniFlame seems to be used to gain control of and obtain increased spying capability over select computers originally infected by the Flame and Gauss spyware.

It is the fourth piece of nation-state malware discovered in the last year that appears to have been created by the same group behind Stuxnet, the groundbreaking cyberweapon that sabotaged Iran’s nuclear program and is believed to have been created by the U.S. and Israeli governments. The others – all designed for espionage rather than destruction – are DuQu, Flame, and Gauss.

The new malware adds to the arsenal of cyber tools that are quickly becoming the mark of nation-state intelligence gathering and warfare methods and provides new clues into how such operations are conducted.

“With Flame, Gauss and miniFlame, we have probably only scratched [the] surface of the massive cyber-spy operations ongoing in the Middle East,” the Kaspersky researchers write in a report released Monday. “Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown.”

The revelation comes as the U.S. continues to beat the drum against China for its involvement in nation-state cyberespionage, including that country’s alleged hacks against Google to obtain intelligence about political dissidents and against defense contractors to obtain military secrets.

The miniFlame/SPE malware is actually a module that can be used on its own as a small, standalone espionage tool, or it can be plugged into the much larger Flame espionage tool, or into Gauss.

Until now, Flame and Gauss were believed to be independent nation-state projects that had no connection; but the discovery of miniFlame is the first solid clue that the two projects came out of the same “cyberweapon factory” and were part of the same larger operation, the researchers say.

The module is designed to steal data and open a backdoor into infected machines to give attackers direct and complete remote control over the machines. Once the backdoor is in place, the attackers can send commands to the machines – to steal data or take screenshots, for example – or download other malicious files to the machines.

“Neither Flame nor Gauss allow [the attackers] to directly control the infected system,” says Roel Schouwenberg, senior researcher at Kaspersky Lab. “They’re not designed to allow direct interaction between the attackers and the victim [the way miniFlame does].”

Kaspersky researchers believe miniFlame/SPE was reserved for very select, high-profile victims, and that it was used in conjunction with Flame and Gauss as part of a multi-stage attack.

The researchers believe the attackers used Flame first to infect thousands of machines and steal data from them, then sifted through the data to single-out high-profile targets, who were then infected with miniFlame/SPE so that the attackers could gather more extensive intelligence from them.

They believe that once the attackers installed miniFlame/SPE on a system, they deleted the larger Flame malware that was already on them. Flame actually has a module researchers have found, known as browse32, that the attackers can send out to infected machines to erase Flame from machines. Browse32, Schouwenberg notes, kills Flame, but does not kill miniFlame/SPE.

Once miniFlame/SPE is on a machine, it marks the registry key with an inoculation value so that if the machine comes into contact with the Flame malware again, it will not be infected by that malware.

Flame, also known as Flamer, is a highly sophisticated espionage tool discovered by Kaspersky Lab earlier this year that targeted machines primarily in Iran and other parts of the Middle East. A highly modular toolkit, Flame contains various components for stealing files, capturing screenshots and turning on the internal microphone of an infected computer to record conversations over Skype or in the vicinity of an infected machine.

Gauss is a separate espionage toolkit uncovered by Kaspersky in July, which is designed to steal system information from infected machines. It also contains a module that targets financial accounts at several banks in Lebanon, capturing login credentials to either spy on account transactions or possibly to siphon money from them.

Both Flame and Gauss are much more widely spread than miniFlame; Flame is believed to have infected more than 10,000 machines, and Gauss infected about 2,500. By comparison, miniFlame/SPE appears to have infected only about 50 victims, based on the limited data the researchers have been able to uncover.


Chart showing the number of machines infected by Stuxnet and related espionage malware. Courtesy of Kaspersky Lab
“If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” the researchers write in their report.



The majority of Flame victims have been located in Iran and Sudan, while Gauss victims have been primarily in Lebanon.

Although miniFlame does not seem to be concentrated geographically, its various variants – researchers have found six of them so far but believe there may be dozens – have been geographically concentrated. One version of miniFlame infected machines mostly in Lebanon and the Palestinian Territories. Other variants infected machines in Iran, Kuwait and Qatar.

The six variants, each slightly modified, were created between Oct. 1, 2010 and Sept. 1, 2011. A variant created July 26, 2011 is the most widespread.

But the development of miniFlame/SPE may have begun much earlier than this – as early as 2007. This is when researchers say a protocol used to communicate with the malware, via command-and-control servers, was developed by the attackers.

The miniFlame/SPE module uses a custom protocol called OldProtocolE that the attackers created specifically to communicate with it via some of the same servers that were used to communicate with machines infected with Flame. But the attackers also appear to have set up dedicated command-and-control servers to communicate exclusively with machines infected miniFlame/SPE. Researchers have not uncovered these dedicated servers yet but believe they exist because the Flame command-and-control servers do not have the ability to control miniFlame, and one of the commands the researchers found in miniFlame/SPE allows the attackers to change the command-and-control centers miniFlame contacts.

To communicate with machines infected with miniFlame, the attackers issued commands from command-and-control servers. The commands, encrypted using XOR, as well as an added layer of Twofish, were given proper names by the attackers, many of them women’s names – Fiona, Sonia, Eve, Barbara and Tiffany, but also Elvis, Drake, Charles and Sam.

Gauss had used various names of famous mathematicians and cryptographers for its command files, but the command names in miniFlame don’t have an obvious pattern.


List of the commands that the attackers use to control the miniFlame malware. Courtesy of Kaspersky Lab



Sonia is a command for uploading a file from the victim’s machine to the command and control server. The Barbara command instructs the malware to grab a screenshot of a computer’s entire desktop, but only if the window open in the foreground belongs to one of a list of client applications, including Microsoft Word, Excel, or Outlook; Adobe Acrobat; ICQ; SSH clients; Netscape Navigator; or Microsoft Remote Desktop connections.

Kaspersky discovered miniFlame after researchers obtained access to two command-and-control servers that the attackers had set up to communicate with machines that were infected with Flame.

After creating a sinkhole to intercept data going from Flame-infected machines to the attackers’ command-and-control servers, the researchers were surprised when machines not infected with Flame also contacted their sinkhole and determined that the machines were infected with miniFlame/SPE.

Between May 28 and Sept 30 this year, machines infected with miniFlame contacted Kaspersky’s sinkhole about 14,000 times from about 90 different IP addresses. Most of the machines were based in Lebanon (about 45 infections). The second largest number (24) were in France, most of which appeared to belong to mobile users and free internet service providers.

One machine in France, however, came from an IP address at the Francois Rabelais University of Tours, suggesting that a student or professor at the university may have been targeted.

Kaspersky has found some machines infected with Flame alone, some infected with Gauss alone, some infected with Flame and miniFlame and some infected with Gauss and miniFlame. But there is one machine in Lebanon – what Schouwenberg calls “the mother of all infections” – which has Flame, Gauss, and miniFlame/SPE on it. “It is like everybody wanted to infect that specific victim in Lebanon for some reason,” he says. The IP address for the machine traces back to an ISP, which makes it difficult to know who owns the machine.

Oddly, machines infected with miniFlame stopped contacting Kaspersky’s sinkhole between July 4-7 this year. “I cannot explain the gap,” Schouwenberg says. “The gap is strange and doesn’t make sense.”

Based on clues the researchers have uncovered, they believe the attackers created at least two other pieces of malware. These others – which the attackers refer to as SP and IP in some of their code — have still not been uncovered, though the researchers suspect that SP may be an early version of SPE.