Kaspersky Lab said on Monday that it has discovered a small and highly flexible malware tool called miniFlame, or SPE. It's designed to steal data and control systems during targeted cyber espionage operations.
MiniFlame was originally discovered back in July and classified as a module of the Flame espionage tool. Since then, Kaspersky has reclassified it as a standalone malware tool that can be used as a plugin for both the Flame and Gauss malware. This reclassification arrives after the firm conducted a thorough analysis of Flame's command & control servers over the summer.
"The discovery of miniFlame occurred during the in-depth analysis of the Flame and Gauss malware," the firm said on Monday. "In July 2012 Kaspersky Lab’s experts identified an additional module of Gauss, codenamed 'John' and found references to the same module in Flame’s configuration files. The subsequent analysis of Flame’s command and control servers, conducted in September 2012, helped to reveal that the newly discovered module was in fact a separate malicious program, although it can be used as a “plug-in” by both Gauss and Flame. miniFlame was codenamed SPE in the code of Flame’s original C&C servers."
There are six variations of miniFlame covering 4.x and 5.x generations, the firm said, all dating back to 2010 to 2011. Even more, hackers began developing the tool before 2007, and was likely created in the same "cyber warfare factory" by the same crew behind Flame and Stuxnet/Duqu, based on its plug-in capabilities alone.
But unlike Flame and Gauss, miniFlame hasn't infected thousands of computers – it's only been found on 10 to 20 machines, but the firm estimates the worldwide number of infections to be around 50 to 60 machines. This small number indicates that it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss.
"miniFlame is a high precision attack tool," said Alexander Gostev, Chief Security Expert, Kaspersky Lab. "Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."
The full report on miniFlame can be found here.