Last updated on April 18, 2014 at 8:30 EDT

Kaspersky Lab Discovers “miniFlame,” a New Malicious Program Designed for Highly Targeted Cyber Espionage Operations

October 15, 2012

ABINGDON, England, October 15, 2012 /PRNewswire/ –

Kaspersky Lab [http://www.kaspersky.co.uk ] has today announced the discovery of
miniFlame [http://www.securelist.com/en/blog/763/miniFlame_aka_SPE_Elvis_and_his_friends
], a small and highly flexible malicious program designed to steal data and control
infected systems during targeted cyber espionage operations.

miniFlame, also known as SPE, was found by Kaspersky Lab’s experts in July 2012, and
was originally identified as a Flame module. However, in September 2012, Kaspersky Lab’s
research team conducted an in-depth analysis
[http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers ]
of Flame’s command & control servers (C&C) and found that the miniFlame module was
actually an interoperable tool that could be used as an independent malicious program, or
concurrently as a plug-in for both the Flame and Gauss malware.

Analysis of miniFlame showed there were several versions created between 2010 and
2011, with some variants still being active in the wild. The analysis also revealed new
evidence of the co-operation between the creators of Flame
[http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers ] and Gauss
[http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan ]
, with both malicious programs able to use miniFlame as a ‘plug-in’ for
their operations.

Main findings:

        - miniFlame, also known as SPE, is based on the same architectural platform
          as Flame. It can function as its own independent cyber espionage program or as a
          component inside both Flame and Gauss.
        - The cyber espionage tool operates as a backdoor designed for data theft and
          direct access to infected systems.
        - Development of miniFlame might have started as early as 2007 and continued
          until the end of 2011. Many variations are presumed to be created. To date, Kaspersky
          Lab has identified six of these variants, covering two major generations: 4.x and 5.x.
        - Unlike Flame or Gauss, which had high number of infections, the amount of
          infections for miniFlame is much smaller. According to Kaspersky Lab's data, the
          number of infections is between 10-20 machines. The total number of infections
          worldwide is estimated at 50-60.
        - The number of infections combined with miniFlame's info-stealing features and
          flexible design indicate it was used for extremely targeted cyber-espionage
          operations, and was most likely deployed inside machines that were already infected by
          Flame or Gauss.


The discovery of miniFlame occurred during the in-depth analysis of the Flame and
Gauss malware. In July 2012 Kaspersky Lab’s experts identified an additional module of
Gauss, codenamed “John” and found references to the same module in Flame’s configuration
files. The subsequent analysis of Flame’s command and control servers
[http://www.securelist.com/en/blog/750/Full_Analysis_of_Flame_s_Command_Control_servers ],
conducted in September 2012, helped to reveal that the newly discovered module was in fact
a separate malicious program, although it can be used as a ‘plug-in’ by both Gauss and
Flame. miniFlame was codenamed SPE in the code of Flame’s original C&C servers.

Kaspersky Lab discovered six different variations of miniFlame, all dating back to
2010-2011. At the same time, the analysis of miniFlame points to an even earlier date when
development of the malware was commenced – not later than 2007. miniFlame’s ability to be
used as a plug-in by either Flame or Gauss clearly connects the collaboration between the
development teams of both Flame and Gauss. Since the connection between Flame and
Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced
threats come from the same “cyber warfare” factory.


The original infection vector of miniFlame is yet to be determined. Given the
confirmed relationship between miniFlame, Flame, and Gauss, miniFlame may be installed on
machines already infected by Flame or Gauss. Once installed, miniFlame operates as a
backdoor and enables the malware operators to obtain any file from an infected machine.
Additional info-stealing capabilities include making screenshots of an infected computer
while it’s running a specific program or application in such as a web browser, Microsoft
Office program, Adobe Reader, instant messenger service, or an FTP client. miniFlame
uploads the stolen data by connecting to its C&C server (which may be unique, or ‘shared’
with Flame’s C&Cs). Separately, at the request from miniFlame’s C&C operator, an
additional data-stealing module can be sent to an infected system, which infects USB
drives and uses them to store data that’s collected from infected machines without an
internet connection.

Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: “miniFlame is a
high precision attack tool. Most likely it is a targeted cyberweapon used in what can be
defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as
many victims as possible to collect large quantities of information. After data is
collected and reviewed, a potentially interesting victim is defined and identified, and
miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.
The discovery of miniFlame also gives us additional evidence of the cooperation between
the creators of the most notable malicious programs used for cyber warfare operations:
Stuxnet, Duqu, Flame and Gauss.”

Kaspersky Lab would like to thank CERT-Bund/BSI for their kind assistance with this

Additional details about miniFlame can be found in the blog post at Securelist.com:


The full report on miniFlame can be found following this link:


Kaspersky Lab Newsroom

Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe
[https://email.ascentpr.co.uk/exchweb/bin/redir.asp?URL=http://newsroom.kaspersky.eu/en ]),
for journalists throughout Europe. The newsroom is specifically designed to serve many of
the media’s most common requests, making it easier for journalists to find product and
corporate information, facts and figures, editorial copy, images, videos and audio files,
as well as details about the appropriate PR contacts.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection
solutions. The company is ranked among the world’s top four vendors of security solutions
for endpoint users*. Throughout its 15-year history Kaspersky Lab has remained an
innovator in IT security and provides effective digital security solutions for consumers,
SMBs and Enterprises. The company currently operates in almost 200 countries across the
globe, providing protection for over 300 million users worldwide. Learn more at
http://www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and
other IT security issues and trends, visit: http://www.securelist.com.

*The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by
Vendor, 2010. The rating was published in the IDC report Worldwide IT Security Products
2011-2015 Forecast and 2010 Vendor Shares – December 2011. The report ranked software
vendors according to earnings from sales of endpoint security solutions in 2010.

(c) 2012 Kaspersky Lab. The information contained herein is subject to change without
notice. The only warranties for Kaspersky Lab products and services are set forth in the
express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for
technical or editorial errors or omissions contained herein.

Follow us on Twitter


Like us on Facebook


SOURCE Kaspersky Lab

Source: PR Newswire