Complex Flame malware ‘faked its own death’

Attackers used a ‘SUICIDE’ module to burn down its infrastructure, but new tools have hinted at a resurrection

The keyboard of a laptop device having caught fire

An incredibly complex strain of malware, widely understood by researchers to have been killed by its operators, actually threw them off its scent and remained active for several more years.

When security researchers discovered 'Flame' in 2012, they described it as highly sophisticated and claimed it had avoided detection by security software despite being active since 2010. This tool for "cyber espionage" was capable of stealing information from targeted systems, local files, contact data and audio conversations.

The group behind Flame then instigated a 'SUICIDE' module shortly after being discovered, with the wider research community believing this to represent the end of Flame. This effectively cleaned up active infections and burned down the attackers' command and control (C&C) infrastructure that hadn't been seized by security researchers.

But experts with Chronicle Research have encountered traces of a second iteration of the malware strain, dubbed Flame 2.0, through analysing a subset of samples. These are dated to a range between February and March 2014, leading them to conclude that Flame actually "faked its own death".

"Looking at these samples lead us to the discovery of a new iteration of the Flame platform, likely used in the 2014-2016 timeframe," the researchers said.

"While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling.

"We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space reminiscent of the early days of discovery that brought about Stuxnet, Duqu, Flame, and Gauss."

The team of researchers have managed to make this discovery by gaining access to tools that weren't widely used or available in the recent past.

YARA methods, for example, a tool used to create descriptions of malware families had been developed in 2007 but only recently became widely adopted. Similarly, a retrohunt capability developed by VirusTotal wasn't available in 2012, the researchers said.

The malware operated by stealing data from infected machines, then passing this onto a network of C&C servers spread across the world. It comprised multiple modules each made up of several megabytes of executable code.

The researchers were unable to determine large parts of Flame 2.0's functionality because of difficulties decoding the embedded modules. But they believe further analysis will likely render more positive results.

"While the research community assumed Flame had retired and ceased to track this ominous threat actor, Flame 2.0 samples appeared in VirusTotal as early as October 2016 and were likely available in private AV collections a year or two before that," they continued.

"Given that Flame proved to be one of the most daring threat actors ever discovered (going so far as to leverage an innovate MD5 hash collision attack to subvert the Windows Update mechanism to spread infections across an enterprise), this isn't an adversary we should take lightly in our remit to defend the internet ecosystem."

Flame's resurrection bears striking similarities to the return of another infamous strain, Stuxnet, which resurfaced last year in a more violent iteration. The researchers with Chronicle say this forms part of an overarching malware ecosphere overseen by the GOSSIPGIRL supra threat actors.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021