Complex Flame malware ‘faked its own death’

Attackers used a ‘SUICIDE’ module to burn down its infrastructure, but new tools have hinted at a resurrection

The keyboard of a laptop device having caught fire

An incredibly complex strain of malware, widely understood by researchers to have been killed by its operators, actually threw them off its scent and remained active for several more years.

When security researchers discovered 'Flame' in 2012, they described it as highly sophisticated and claimed it had avoided detection by security software despite being active since 2010. This tool for "cyber espionage" was capable of stealing information from targeted systems, local files, contact data and audio conversations.

The group behind Flame then instigated a 'SUICIDE' module shortly after being discovered, with the wider research community believing this to represent the end of Flame. This effectively cleaned up active infections and burned down the attackers' command and control (C&C) infrastructure that hadn't been seized by security researchers.

But experts with Chronicle Research have encountered traces of a second iteration of the malware strain, dubbed Flame 2.0, through analysing a subset of samples. These are dated to a range between February and March 2014, leading them to conclude that Flame actually "faked its own death".

"Looking at these samples lead us to the discovery of a new iteration of the Flame platform, likely used in the 2014-2016 timeframe," the researchers said.

"While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling.

"We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space reminiscent of the early days of discovery that brought about Stuxnet, Duqu, Flame, and Gauss."

The team of researchers have managed to make this discovery by gaining access to tools that weren't widely used or available in the recent past.

YARA methods, for example, a tool used to create descriptions of malware families had been developed in 2007 but only recently became widely adopted. Similarly, a retrohunt capability developed by VirusTotal wasn't available in 2012, the researchers said.

The malware operated by stealing data from infected machines, then passing this onto a network of C&C servers spread across the world. It comprised multiple modules each made up of several megabytes of executable code.

The researchers were unable to determine large parts of Flame 2.0's functionality because of difficulties decoding the embedded modules. But they believe further analysis will likely render more positive results.

"While the research community assumed Flame had retired and ceased to track this ominous threat actor, Flame 2.0 samples appeared in VirusTotal as early as October 2016 and were likely available in private AV collections a year or two before that," they continued.

"Given that Flame proved to be one of the most daring threat actors ever discovered (going so far as to leverage an innovate MD5 hash collision attack to subvert the Windows Update mechanism to spread infections across an enterprise), this isn't an adversary we should take lightly in our remit to defend the internet ecosystem."

Flame's resurrection bears striking similarities to the return of another infamous strain, Stuxnet, which resurfaced last year in a more violent iteration. The researchers with Chronicle say this forms part of an overarching malware ecosphere overseen by the GOSSIPGIRL supra threat actors.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020