Complex Flame malware ‘faked its own death’

Attackers used a ‘SUICIDE’ module to burn down its infrastructure, but new tools have hinted at a resurrection

The keyboard of a laptop device having caught fire

An incredibly complex strain of malware, widely understood by researchers to have been killed by its operators, actually threw them off its scent and remained active for several more years.

When security researchers discovered 'Flame' in 2012, they described it as highly sophisticated and claimed it had avoided detection by security software despite being active since 2010. This tool for "cyber espionage" was capable of stealing information from targeted systems, local files, contact data and audio conversations.

The group behind Flame then instigated a 'SUICIDE' module shortly after being discovered, with the wider research community believing this to represent the end of Flame. This effectively cleaned up active infections and burned down the attackers' command and control (C&C) infrastructure that hadn't been seized by security researchers.

But experts with Chronicle Research have encountered traces of a second iteration of the malware strain, dubbed Flame 2.0, through analysing a subset of samples. These are dated to a range between February and March 2014, leading them to conclude that Flame actually "faked its own death".

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Looking at these samples lead us to the discovery of a new iteration of the Flame platform, likely used in the 2014-2016 timeframe," the researchers said.

"While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling.

"We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space reminiscent of the early days of discovery that brought about Stuxnet, Duqu, Flame, and Gauss."

The team of researchers have managed to make this discovery by gaining access to tools that weren't widely used or available in the recent past.

YARA methods, for example, a tool used to create descriptions of malware families had been developed in 2007 but only recently became widely adopted. Similarly, a retrohunt capability developed by VirusTotal wasn't available in 2012, the researchers said.

The malware operated by stealing data from infected machines, then passing this onto a network of C&C servers spread across the world. It comprised multiple modules each made up of several megabytes of executable code.

Advertisement - Article continues below

The researchers were unable to determine large parts of Flame 2.0's functionality because of difficulties decoding the embedded modules. But they believe further analysis will likely render more positive results.

"While the research community assumed Flame had retired and ceased to track this ominous threat actor, Flame 2.0 samples appeared in VirusTotal as early as October 2016 and were likely available in private AV collections a year or two before that," they continued.

"Given that Flame proved to be one of the most daring threat actors ever discovered (going so far as to leverage an innovate MD5 hash collision attack to subvert the Windows Update mechanism to spread infections across an enterprise), this isn't an adversary we should take lightly in our remit to defend the internet ecosystem."

Flame's resurrection bears striking similarities to the return of another infamous strain, Stuxnet, which resurfaced last year in a more violent iteration. The researchers with Chronicle say this forms part of an overarching malware ecosphere overseen by the GOSSIPGIRL supra threat actors.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020