Smaller-scale state-sponsored malware detected, which acts as a module of Flame and Gauss

'Flame' surveillance worm described as one of the most complex threats ever discovered
'Flame' surveillance worm described as one of the most complex threats ever discovered

Kaspersky Lab has announced the discovery of the fourth piece of state-sponsored malware to have been created by the same 'factory'.

Named MiniFlame or SPE, it said that it is a high-precision, surgical attack tool that is used against high profile victims.

Kaspersky Lab said that it is an information-stealing backdoor that works independently, or as a module of Flame and Gauss, and its capabilities include the ability to capture screenshots or use USB drives to store data collected from infected machines that are not connected to the internet.

The research said that MiniFlame is able to communicate with its own unique command and control (C&C) servers or with Flame's servers, and it was most likely deployed during the initial Flame and Gauss infection.

The research said: “MiniFlame is different from Flame and Gauss in that the number of infections is significantly smaller. While we estimate the total number of Flame/Gauss victims at no less than 10,000 systems, MiniFlame has been detected in just a few dozen systems in Western Asia.

“This indicates that SPE is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and posing the greatest interest to the attackers.”

Roel Schouwenberg, senior researcher at Kaspersky Lab, said that MiniFlame serves as a backdoor, while Flame and Gauss were about data and information gathering. “MiniFlame gives more direct access to a target machine,” he told SC Magazine US.

So far, Kaspersky Lab's researchers have discovered six strains of MiniFlame and they believe that development began as far back as 2007. It also determined that the authors of Flame and Gauss, and those of other nation state-sponsored weapons such as Stuxnet and Duqu, are cooperating in their spy efforts.

In January of this year, Kaspersky Lab predicted that more variants of Stuxnet and Duqu would be created, as they were both produced on a platform named ‘Tilded'. Kaspersky Lab director of global research and analysis Costin Raiu said that there was evidence that the same platform that was used to build Stuxnet and Duqu was also used to create at least three other pieces of malware.

Sign up to our newsletters