Skip to main content

Kaspersky discovers new espionage malware, 'miniFlame'

Researchers have uncovered a new virus with ties to the Flame and Gauss malware. According to Kaspersky Lab, its latest discovery has "many similarities to Flame," prompting researchers to dub it miniFlame.

"MiniFlame is in fact based on the Flame platform but is implemented as an independent module. It can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame," Kaspersky said in a blog post.

MiniFlame was uncovered in July 2012, but has apparently been in development for several years. Kaspersky believes there are dozens of different miniFlame modifications; at this point, the firm has identified six.

While Flame and Gauss hit a large number of targets, miniFlame appears to be focused on a few systems in Western Asia. "This indicates that [miniFlame] is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and posing the greatest interest to the attackers," Kaspersky said.

MiniFlame also does not appear to be targeting a specific region. Flame was mostly focused in Iran and Sudan, while Gauss had a major presence in Lebanon. Different miniFlame variants, however, have clustered in regions like Lebanon and Palestine as well as Iran, Kuwait, and Qatar.

"If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool," Kaspersky said.

In analysing Flame, Kaspersky identified four malware files: SP, SPE, FL, and IP. FL is Flame, and Kaspersky said today that SPE is miniFlame.

MiniFlame, however, can be used in conjunction with its larger counterparts, like Gauss. "As many readers will remember, it has been assumed that Flame and Gauss were parallel projects that did not have any modules or C&C servers in common," Kaspersky said. "The discovery of miniFlame, which works with both these espionage projects, proves that we were right when we concluded that they had come out of the same 'cyber-weapon factory."

Kaspersky uncovered Flame in late May, and said at the time that it "might be the most sophisticated cyber weapon yet unleashed." Flame can sniff network traffic, take screenshots, record audio conversations, intercept a keyboard, and more. All of this data is then available via Flame's command-and-control servers.

Gauss, meanwhile, was uncovered in August and is a cyber threat targeting users in the Middle East that is intended to steal personal details, like banking information. Gauss includes a module - known as Godel - that has an encrypted payload, which Kaspersky found difficult to crack. Ultimately, it asked the security community for assistance.