Burned Again by Flame 2.0
*Note: This article was originally published by the author on April 10, 2019.
In the immortal words of “Mater” from Disney’s Cars movies franchise, “I’m back fellow bad guys!” Remember that nasty nation-state attributed malware known as “Flame” that surfaced back in 2012? Well, researchers should have nicknamed it demon malware because apparently, it came back to life from 2014 through at least 2016.
Upon Flame’s initial discovery, it was quickly killed and all reachable instances were removed via command and control (C2) servers worldwide. Whenever sophisticated malware such as Flame or Stuxnet is discovered in the wild, it is a major secrecy failure for whoever created it. You see, malware is only effective when it is covert, unknown, and when there aren’t fingerprint signatures for the malware and its spawn variations being scanned for by every reputable anti-virus software product (e.g., Kaspersky, Symantec, McAfee, Malwarebytes, etc.). Malware developers spend a lot of time (i.e., time equals money), resources, and go to great lengths in an attempt to design malware to operate in the most clandestine manner possible.
The longer the malware remains undetected, the more profitable it is for the malware developer and other cyber criminals who purchase or rent it. It’s not uncommon for malware to be operational for years before it is finally discovered. The minute it is discovered and publicized, expect to see a hasty clean-up effort by those employing the malware. Sometimes, you’re able to trace where the malware is being controlled from (C2 servers) and you can pinpoint who is controlling it. That is often how malware is attributed by intelligence agencies to a nation-state.
Flame was among the most sophisticated malware known to have ever been created to date in 2012 when it was originally discovered. Therefore, it is not hard to imagine that it was created by a nation-state or multiple nation-states working together much in the way Stuxnet is publicly known to have been the devious and cooperative creation of the U.S. National Security Agency (NSA) and Israel’s Unit 8200. Among nation-states that have the technical chops and resources to produce such a sophisticated malware exploit kit, the field of likely suspects gets much more narrow. The Flame malware is believed to be the handy work of Israel’s Unit 8200.
This newer variant of Flame was apparently modified to include strong encryption to obfuscate detection and make it much more difficult to reverse engineer (Zetter, 2019). In Zetter’s article, there is a comment that was made by security researchers to the effect that Flame was considered to be “too old and expensive [for the attackers] to waste time” modifying. This seems a bit off to me. If you’re a malware developer and can modify the code of a very effective piece of malware code just enough to make it evasive from anti-virus detection then it could save a lot of time and effort. So, to me, this wasn’t surprising and it is probably why we keep seeing other malware such as Emotet and certain ransomware like Locky, Mamba, and HDDCryptor.
Back in 2015, Kaspersky discovered the Equation Group and their modus operandi is to use very strong encryption of all their malware. For those who do not follow Advanced Persistent Threat (APT) group activity, it’s almost like a sitcom because there is fascinating late-night drama on the cyber webs almost daily that takes place with many players from many different nations. The Equation Group is largely suspected to be the NSA, and like every APT they have an entire family of malware that is attributed to them.
Equally interesting is the discovery by two Chronicle (Alphabet, the parent company of Google owns Chronicle) security researchers who used the YARA tool to reveal that Stuxnet is linked to another malware known as Flowershop which was actually a predecessor to the Stuxnet and Duqu malware also attributed to the Equation Group. YARA brings new analysis and search capabilities combined with other malware repositories such as Virus Total that can be used to re-examine old malware for potential new strains.
It is also helpful for those who may be new to information security or malware analysis to know how malware is typically deployed in various stages of an attack. There are five stages of a malware attack as the image depicts below.
Another method of attributing malware is to determine where it is targeting. Flame was found to be targeting Iran mostly, so that really narrowed the list of possible suspects down quite a bit to either the U.S. or Israel when you consider which nation-states have the capability, resources to create malware like Flame, and the motive to attack Iran with it. Clearly, there has been a fairly sizeable combined effort by the U.S. and Israel to create and deploy sophisticated malware against various targets in the Middle East for quite a few years now. I don’t expect that this will stop anytime soon, just like I don’t expect Russia, North Korea, China, and Iran will stop targeting the U.S. and the U.K. with their APT malware. That’s all for now.