“Kaspersky Lab” has found a mini cyber-spy

Posted: October 16, 2012 in IT Security News, Security Notices
Tags: , , , ,

Kaspersky Lab“Kaspersky Lab” announced the discovery miniFlame – small and very flexible malicious program designed to steal data and control infected systems in targeted attacks, carried out to cyber espionage.

Program miniFlame, also known as SPE, was discovered by experts of “Kaspersky Lab” in July 2012 and was originally identified as a module malware Flame. In September 2012, after studying management servers Flame, it became clear that the module miniFlame is interoperable and can be used both as a standalone malicious program, and as a plugin for malware Flame and Gauss.


miniFlame was discovered during a detailed analysis of malware Flame and Gauss. In July 2012, the experts “Kaspersky Lab” revealed additional module Gauss code-named “John” and found a reference to a similar module in the configuration files Flame. Subsequent analysis of the management servers Flame, carried out in September 2012, concluded that the newly discovered module is actually a separate malware, despite the fact that it can work together as a Gauss, as a Flame. On the management server software miniFlame Flame was listed under the code name SPE.

“Kaspersky Lab” found six different options miniFlame, all of which date from the years 2010-2011. At the same time, the analysis indicates miniFlame even earlier start date design – no later than 2007. Ability to use as a plug miniFlame as a Flame, and to the Gauss clearly indicates the interaction between the development teams responsible for the creation of these malicious programs. Because the relationship between Flame and Stuxnet / Duqu is already installed, it can be concluded that all of these programs are designed on the same “factory of cyber weapons.”


Given the confirmed link between miniFlame, Flame, and Gauss, likely miniFlame installed on computers already infected with Flame or Gauss. Having entered into the system, miniFlame acts as a backdoor, allowing the operator to get the malware from infected machines any. Additional features associated with identity theft is to create snapshots of the infected computer at work in the individual programs and applications, such as browsers, Microsoft Office, Adobe Reader, services, instant messaging and FTP-clients. miniFlame sends stolen data by connecting to your server control (which can be dedicated or shared with the Flame). In addition, at the request of the operator at the control server miniFlame septic system can be downloaded plug-in to steal data, infect USB-drives and using them to store data collected from infected computers, without Internet connection.

«MiniFlame is a tool for precision attacks. Most likely, this cyber weapons with clear targets, used in the course of what may be called the second wave of cyber attacks – says the main antiviral expert “Kaspersky Lab” Alexander Gostev. – First used Flame or Gauss to infect as many victims and collect a significant amount of information. After this, the collected data are analyzed, defined and identified potentially interesting sacrifices, and already installed on their computers miniFlame for in-depth surveillance and cyber espionage. Detection miniFlame gave us more evidence of interaction between the creators of the most notable malware used as cyber weapons: Stuxnet, Duqu, Flame and Gauss ».

Key findings

  • miniFlame, also known as the SPE, is based on the same architectural platform as the Flame. He is able to operate as a stand-alone program for the implementation of cyber espionage or as a component, part of a Flame, and Gauss.
  • This tool acts as a cyber espionage backdoor, allowing data theft and direct control of the infected system.
  • Apparently, miniFlame development began in 2007 and continued until the end of 2011. Most likely it was a great number of modifications of the program. Today, “Kaspersky Lab” was able to identify six types belonging to two major generations: 4.x and 5.x.
  • Unlike Flame and Gauss, on account of which a large number of infections, the number of systems infected miniFlame, much less. To the best of “Kaspersky Lab” of the data, the number of infections is in the range of 10 to 20 cars, with the total number of infected miniFlame computers around the world is estimated to be 50-60 cars.
  • A small number of computers infected miniFlame, combined with steal data and flexible application indicates that the malware used only for narrowly targeted operations related to cyber espionage and likely deployed on machines already infected with Flame or Gauss.

More information about the results of the study “Kaspersky Lab” is available here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s