Complex Flame malware ‘faked its own death’

Attackers used a ‘SUICIDE’ module to burn down its infrastructure, but new tools have hinted at a resurrection

The keyboard of a laptop device having caught fire

An incredibly complex strain of malware, widely understood by researchers to have been killed by its operators, actually threw them off its scent and remained active for several more years.

When security researchers discovered 'Flame' in 2012, they described it as highly sophisticated and claimed it had avoided detection by security software despite being active since 2010. This tool for "cyber espionage" was capable of stealing information from targeted systems, local files, contact data and audio conversations.

Advertisement - Article continues below

The group behind Flame then instigated a 'SUICIDE' module shortly after being discovered, with the wider research community believing this to represent the end of Flame. This effectively cleaned up active infections and burned down the attackers' command and control (C&C) infrastructure that hadn't been seized by security researchers.

But experts with Chronicle Research have encountered traces of a second iteration of the malware strain, dubbed Flame 2.0, through analysing a subset of samples. These are dated to a range between February and March 2014, leading them to conclude that Flame actually "faked its own death".

"Looking at these samples lead us to the discovery of a new iteration of the Flame platform, likely used in the 2014-2016 timeframe," the researchers said.

Advertisement
Advertisement - Article continues below

"While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling.

"We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space reminiscent of the early days of discovery that brought about Stuxnet, Duqu, Flame, and Gauss."

Advertisement - Article continues below

The team of researchers have managed to make this discovery by gaining access to tools that weren't widely used or available in the recent past.

YARA methods, for example, a tool used to create descriptions of malware families had been developed in 2007 but only recently became widely adopted. Similarly, a retrohunt capability developed by VirusTotal wasn't available in 2012, the researchers said.

The malware operated by stealing data from infected machines, then passing this onto a network of C&C servers spread across the world. It comprised multiple modules each made up of several megabytes of executable code.

The researchers were unable to determine large parts of Flame 2.0's functionality because of difficulties decoding the embedded modules. But they believe further analysis will likely render more positive results.

"While the research community assumed Flame had retired and ceased to track this ominous threat actor, Flame 2.0 samples appeared in VirusTotal as early as October 2016 and were likely available in private AV collections a year or two before that," they continued.

Advertisement - Article continues below

"Given that Flame proved to be one of the most daring threat actors ever discovered (going so far as to leverage an innovate MD5 hash collision attack to subvert the Windows Update mechanism to spread infections across an enterprise), this isn't an adversary we should take lightly in our remit to defend the internet ecosystem."

Flame's resurrection bears striking similarities to the return of another infamous strain, Stuxnet, which resurfaced last year in a more violent iteration. The researchers with Chronicle say this forms part of an overarching malware ecosphere overseen by the GOSSIPGIRL supra threat actors.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020