Burned Again by Flame 2.0

*Note: This article was originally published by the author on April 10, 2019.

Credit: Digital Trends

In the immortal words of β€œMater” from Disney’s Cars movies franchise, β€œI’m back fellow bad guys!” Remember that nasty nation-state attributed malware known as β€œFlame” that surfaced back in 2012? Well, researchers should have nicknamed it demon malware because apparently, it came back to life from 2014 through at least 2016.

Upon Flame’s initial discovery, it was quickly killed and all reachable instances were removed via command and control (C2) servers worldwide. Whenever sophisticated malware such as Flame or Stuxnet is discovered in the wild, it is a major secrecy failure for whoever created it. You see, malware is only effective when it is covert, unknown, and when there aren’t fingerprint signatures for the malware and its spawn variations being scanned for by every reputable anti-virus software product (e.g., Kaspersky, Symantec, McAfee, Malwarebytes, etc.). Malware developers spend a lot of time (i.e., time equals money), resources, and go to great lengths in an attempt to design malware to operate in the most clandestine manner possible.

The longer the malware remains undetected, the more profitable it is for the malware developer and other cyber criminals who purchase or rent it. It’s not uncommon for malware to be operational for years before it is finally discovered. The minute it is discovered and publicized, expect to see a hasty clean-up effort by those employing the malware. Sometimes, you’re able to trace where the malware is being controlled from (C2 servers) and you can pinpoint who is controlling it. That is often how malware is attributed by intelligence agencies to a nation-state.

Flame was among the most sophisticated malware known to have ever been created to date in 2012 when it was originally discovered. Therefore, it is not hard to imagine that it was created by a nation-state or multiple nation-states working together much in the way Stuxnet is publicly known to have been the devious and cooperative creation of the U.S. National Security Agency (NSA) and Israel’s Unit 8200. Among nation-states that have the technical chops and resources to produce such a sophisticated malware exploit kit, the field of likely suspects gets much more narrow. The Flame malware is believed to be the handy work of Israel’s Unit 8200.

Researchers Uncover New Version of the Infamous Flame Malware
They also found evidence that Stuxnet has ties to another malware family. The discoveries were made using tools and…www.vice.com

This newer variant of Flame was apparently modified to include strong encryption to obfuscate detection and make it much more difficult to reverse engineer (Zetter, 2019). In Zetter’s article, there is a comment that was made by security researchers to the effect that Flame was considered to be β€œtoo old and expensive [for the attackers] to waste time” modifying. This seems a bit off to me. If you’re a malware developer and can modify the code of a very effective piece of malware code just enough to make it evasive from anti-virus detection then it could save a lot of time and effort. So, to me, this wasn’t surprising and it is probably why we keep seeing other malware such as Emotet and certain ransomware like Locky, Mamba, and HDDCryptor.

Flame malware code reverse engineered

Back in 2015, Kaspersky discovered the Equation Group and their modus operandi is to use very strong encryption of all their malware. For those who do not follow Advanced Persistent Threat (APT) group activity, it’s almost like a sitcom because there is fascinating late-night drama on the cyber webs almost daily that takes place with many players from many different nations. The Equation Group is largely suspected to be the NSA, and like every APT they have an entire family of malware that is attributed to them.

Equally interesting is the discovery by two Chronicle (Alphabet, the parent company of Google owns Chronicle) security researchers who used the YARA tool to reveal that Stuxnet is linked to another malware known as Flowershop which was actually a predecessor to the Stuxnet and Duqu malware also attributed to the Equation Group. YARA brings new analysis and search capabilities combined with other malware repositories such as Virus Total that can be used to re-examine old malware for potential new strains.

It is also helpful for those who may be new to information security or malware analysis to know how malware is typically deployed in various stages of an attack. There are five stages of a malware attack as the image depicts below.

Another method of attributing malware is to determine where it is targeting. Flame was found to be targeting Iran mostly, so that really narrowed the list of possible suspects down quite a bit to either the U.S. or Israel when you consider which nation-states have the capability, resources to create malware like Flame, and the motive to attack Iran with it. Clearly, there has been a fairly sizeable combined effort by the U.S. and Israel to create and deploy sophisticated malware against various targets in the Middle East for quite a few years now. I don’t expect that this will stop anytime soon, just like I don’t expect Russia, North Korea, China, and Iran will stop targeting the U.S. and the U.K. with their APT malware. That’s all for now.

tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Influencer Spotlight: @CoinDesk

Airdrop Live $HOPE CW20

Hacked! How and Where Users Find Your Information on the Dark Web!β€Šβ€”β€ŠOnline Investigation Part 2

Morpheus Network Pre-Sale β€” Message From The CEO And New Presale Date: MARCH 2ND, 2018 AT 12:00 PM…

How to buy $INF via Trust Wallet

Postmortem of algradigon-1

7 Alternative Search Engines (Tried & Tested)

Referral Promo FAQ’s

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


tech privacy, hacking, dfir, security research, & outdoors enthusiast, you savvy?

More from Medium

7 vulnerabilities patched in Wireshark. Update immediately

On Cyberwarfare & the Effectiveness of Indicting Foreign Criminal Hackers