One of the most complex threats ever founded, according to Kaspersky Labs, Flame malware targeted Iran and other Middle Eastern countries with a cyber-espionage attack that researchers had little precedent for. Given the intricacies and large size of Flame’s coding, it was both shocking that it took years to detect and daunting for researchers who expected an investigation would take 20 times longer than that of any other attack.
Back in 2012, a massive and sophisticated malware known as Flame was “found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation,” according to Wired. The malware was first discovered by an antivirus firm based in Russia, Kaspersky Lab, who found that Flame was affecting multiple locations including Iran, Syria, and other Middle Eastern and North African countries. While it paled in comparison to Stuxnet, a computer worm known for targeting supervising control and data acquisition (SCADA) systems and causing significant damage to Iran’s nuclear program, the malware’s design indicated that the same nation-state may have shared source code “at least once” and may have taken part in growing an armory of software aimed at continuing attacks like Stuxnet and its sister malware, Duqu.
Flame is a threat like no other due to the complexities and uncommon features included in the code. Despite its size, it was able to conceal itself from being detected and had the capacity to steal data in a variety of ways, including taking audio from internal microphones. Flame was also capable of connecting to Bluetooth devices, suggesting a more mature kind of malware, which worried researchers. The kicker is that much about the malware is still unknown, including its origin and whether the spyware will return again. While the threat is not currently active, the question remains, will Flame make a third comeback?
A tool for spyware
In the beginning stages of Kaspersky’s investigation, reports suggested that Flame malware was designed to spy on infiltrated systems with the goal of stealing documents, recording conversations and stealing sensitive data. The 20-megabyte malware proved to be significantly more complex, even using code written in LUA programming language, a scripting code capable of performing functions on multiple platforms, and ultimately differentiated itself from previous malware with some uncommon characteristics. It was determined that Flame was likely in the works as early as 2010, about two years before it was actually detected thanks to its complex ability to conceal itself. Alexander Gostev, a chief security expert at Kaspersky Labs, expected it would take up to “10 years to fully understand everything” given the sheer complexity of the design.
A unique attack system
There are several factors that differentiate Flame from other malware, like Stuxnet and Duqu. According to the New York Times, researchers determined Flame “may be the most destructive cyberattack on Iran since the notorious Stuxnet virus.” Stuxnet and Duqu were both created with a more compact code, whereas Flame was known for its complexity and strategy, likely intended to decrease its likelihood of detection.
Flame, unlike Stuxnet, used a manual approach rather than an automated one to deploy mechanisms that would allow the malware to spread in a controlled fashion. Flame vetted systems for updated antivirus programs, allowing the software to gather data to determine which environments were “safe” to infiltrate undetected. Also different from past hacks was Flame’s ability to be an all-purpose tool that did not target a singular industry. The attack was focused more on collecting information than causing damage. In at least one personal computer network, the malware was distributed through a manually inserted USB stick, whereas Stuxnet used the Internet to carry out attacks.
A plan of action
Iran’s Computer Emergency Response Team (CERT) set out to combat Flame’s malware attacks by developing a tool that could detect existing “Flamer” malware. They shared this tool with a few organizations. CERT members also created a removal tool to help eradicate the malware from infiltrated computers and systems. However, according to Kaspersky, the creators of Flame also developed a kill module, coined Browse 32, that hunted systems for existing malware and eradicated all traces, making it harder to consistently detect. Following the public revelation of Flame, those behind the malware shut it down themselves, leaving an array of unanswered questions for researchers.
The future of Flame
Since its initial discovery, Flame has also been detected in both Europe and North America. However, after the threat was exposed to the public, the hackers halted all operations and effectively deployed the “kill” switch, leaving little to nothing behind to investigate. According to Motherboard, no one expected to have another encounter with Flame. That is, until 2014 to 2016, when a newer version of the malware made an appearance — one that had revamped its ability to evade detection and avoid interference.
Luckily, that attack was short-lived, and researchers were able to develop new tools that enable quicker, more efficient detection of malware. This includes a tool created by Chronicle, called YARA, which “lets researchers create rules or search parameters to scan entire networks for code and patterns of activity or search through vast repositories of malicious and suspicious code to spot code re-use across malware families. It can also uncover other patterns and similarities that connect seemingly disparate malware families and threat actors.”
While researchers have continued to develop and showcase more tools to evade future malware attacks, threat actors are constantly innovating, as well. The unexpected return of Flame malware in 2014, and the complexities of detecting its code, pose the question: Will Flame return once again with an even more sophisticated system? And will it go undetected for as long as it did the first time?