An incredibly complex strain of malware, widely understood by researchers to have been killed by its operators, actually threw them off its scent and remained active for several more years.
When security researchers discovered 'Flame' in 2012, they described it as highly sophisticated and claimed it had avoided detection by security software despite being active since 2010. This tool for "cyber espionage" was capable of stealing information from targeted systems, local files, contact data and audio conversations.
The group behind Flame then instigated a 'SUICIDE' module shortly after being discovered, with the wider research community believing this to represent the end of Flame. This effectively cleaned up active infections and burned down the attackers' command and control (C&C) infrastructure that hadn't been seized by security researchers.
But experts with Chronicle Research have encountered traces of a second iteration of the malware strain, dubbed Flame 2.0, through analysing a subset of samples. These are dated to a range between February and March 2014, leading them to conclude that Flame actually "faked its own death".
"Looking at these samples lead us to the discovery of a new iteration of the Flame platform, likely used in the 2014-2016 timeframe," the researchers said.
"While the malware is clearly built on the Flame source code, it includes new counter-measures against researcher meddling.
"We hope that announcing these findings at an early stage will encourage a collaborative environment in the threat intelligence space reminiscent of the early days of discovery that brought about Stuxnet, Duqu, Flame, and Gauss."
The team of researchers have managed to make this discovery by gaining access to tools that weren't widely used or available in the recent past.
YARA methods, for example, a tool used to create descriptions of malware families had been developed in 2007 but only recently became widely adopted. Similarly, a retrohunt capability developed by VirusTotal wasn't available in 2012, the researchers said.
The malware operated by stealing data from infected machines, then passing this onto a network of C&C servers spread across the world. It comprised multiple modules each made up of several megabytes of executable code.
The researchers were unable to determine large parts of Flame 2.0's functionality because of difficulties decoding the embedded modules. But they believe further analysis will likely render more positive results.
"While the research community assumed Flame had retired and ceased to track this ominous threat actor, Flame 2.0 samples appeared in VirusTotal as early as October 2016 and were likely available in private AV collections a year or two before that," they continued.
"Given that Flame proved to be one of the most daring threat actors ever discovered (going so far as to leverage an innovate MD5 hash collision attack to subvert the Windows Update mechanism to spread infections across an enterprise), this isn't an adversary we should take lightly in our remit to defend the internet ecosystem."
Flame's resurrection bears striking similarities to the return of another infamous strain, Stuxnet, which resurfaced last year in a more violent iteration. The researchers with Chronicle say this forms part of an overarching malware ecosphere overseen by the GOSSIPGIRL supra threat actors.
