After Flame and Gauss strike, MiniFlame takes aim

Share this article:

While Flame and Gauss act as stealthy espionage malware, having already infected several thousand systems in the Middle East to gather information from their targets, researchers have discovered a new piece of malware that targets those already infected in a more precise way.

Analysts at Russia-based security firm Kaspersky Lab has detected MiniFlame, or SPE, an information-stealing backdoor that works independently, or as a module of Flame and Gauss, on about 50 to 60 machines.

The small number of victims is telling of the malware's design and purpose: to zero in on high-profile targets pinpointed in the Flame and Gauss campaigns.

MiniFlame's capabilities include capturing screenshots while victims run specific programs or applications – like Microsoft Office, Adobe Reader or instant messenger – or use USB drives to store data collected from infected machines, but which aren't connected to the internet.

The malware is able to communicate with its own unique command-and-control servers or with Flame's servers, according to Kaspersky. It is also likely that the malware is deployed during initial Flame and Gauss infection.

Roel Schouwenberg, senior researcher at Kaspersky Lab, told on Monday that MiniFlame gives attackers continued access to its targets.

“MiniFlame really serves as a backdoor,” Schouwenberg said. “Meanwhile, Flame and Gauss were about data and information gathering. MiniFlame gives more direct access to a target machine.”

With the discovery of MiniFlame in July, researchers have determined that the authors of Flame and Gauss, and those of other nation-state-sponsorsed weapons like Stuxnet and Duqu, are cooperating in their spy efforts.

Kaspersky published an anaylsis of Flame's command-and-control servers last month, where it discovered an in-the-wild Flame variant, now thought to be one of several MiniFlame strains infecting machines.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.