MiniFlame Sabotage Tool Spotted Supporting State-Funded Malware

A small “surgical attack tool” has been spotted in nation state-sponsored cyber attacks, complementing more powerful malware such as Flame.

Flame, spotted earlier this year targeting Middle Eastern nations, was highly sophisticated cyber espionage malware. But it has a little brother, according to Russian security firm Kaspersky.

Kaspersky initially thought the malware was simply a component of Flame, or even an early version of it. It later became clear MiniFlame was working alongside the Gauss malware, another cyber espionage tool, and could operate on its own or as a module.

Flame’s own Mini-Me

MiniFlame, which Kaspersky believes was created in 2007 at the latest, is based on the Flame platform but implemented independently. It is believed that Flame, Gauss and MiniFlame were all produced by the same nation state-sponsored team.

“[MiniFlame] is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” read a blog post from Kaspersky Lab’s Global Research & Analysis Team (GReAT).

“The discovery of miniFlame, which works with both these espionage projects, proves that we were right when we concluded that they had come out of the same ‘cyber-weapon factory’.”

MiniFlame was most likely used in attacks on a small number of “high profile” victims. It is used to provide backdoor access to the attackers.

The Russian firm has thus far discovered six different versions of MiniFlame, but it has not been found on many machines. Only between 50 and 60 infections have been estimated, compared to between 5000 and 6000 for Flame and as many as 10,000 for Gauss.

Stuxnet, which also has connections to Flame and its comrades, found its way onto around 300,000 systems. It is believed the US and Israel created Stuxnet and Flame.

“Unlike Flame, where the vast majority of incidents were recorded in Iran and Sudan, and unlike Gauss, which was mostly present in Lebanon, SPE does not have a clear geographical bias,” GReAT added.

“However, we believe that the choice of countries depends on the SPE variant. For example, the modification known as «4.50» is mostly found in Lebanon and Palestine. The other variants were reported in other countries, such as Iran, Kuwait and Qatar.”

Looking at the IPs of the victims, Kaspersky also found there were a notable number of apparent infections in France. “The IPs in France are the most curious ones – some do appear to be proxies or VPNs, but others are not so obvious.

“For instance, one of the IPs of victims in France belongs to Francois Rabelais University of Tours.

“With Flame, Gauss and miniFlame, we have probably only scratched surface of the massive cyber-spy operations ongoing in the Middle East. Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown.”

Are you a security guru? Try our quiz!