Flame is a modular malware discovered in 2012 by MAHER Center of Iranian National, Kaspersky Lab, Iran’s CERT, and CrySyS Lab of Budapest University of Technology and Economics. Flame malware associated with names Flamer and Skywiper may have been active for 2-5 years prior tos its 2012 discovery. Initially, Flame malware targeted the Microsoft Windows operating system of computers that supported the Iranian nuclear program. However, Iran discovered the malware after detecting a cyber campaign against its oil industry.

Flame is a large piece of modular malware, designed to map and monitor the target network. Flame is about 20 megabytes of code. For comparison, it is ~20 times the size of Stuxnet; though, Flame is entirely focused on espionage and is considered a predecessor to Stuxnet malware. The malware leverages the victim’s network to provide the adversary with a steady stream of exfiltrated data that can be used to inform cyber and cyber-physical campaign decisions. Flame is too large and too complex to be anything except state-sponsored malware. Because of its alleged purpose, the Flame malware is attributed to a joint development program between the NSA, the CIA, and the Israeli military. Flame may have been part of a classified operation meant to monitor and slow Iran’s nuclear program, code-named Olympic Games.

To the credit of the allegations, the Stuxnet malware was developed under similar circumstances and for similar purposes. In fact, Flame contains some of the same code as Stuxnet. According to Kaspersky senior researcher Roel Schouwenberg, “It’s very likely it’s two teams working effectively on the same program but using two very different approaches.” Supposedly, the campaign against Iranian oil industry, which led to the exposure of Flame, was a unilateral operation launched by Israel, without informing their American counterparts.

Kaspersky detected Flame malware infections in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. Significantly fewer infected systems were detected in Europe or North America. Infected systems belonged to state-related organizations, educational institutions, and individuals. Systems were compromised via spear phishing attacks, infected websites, infected USB devices, and other infected systems on the local area network. Flame targeted emails, documents, AutoCAD drawings, instant messenger logs, and Skype conversations.

Flame is one of the first malware complex enough to be considered an attack toolkit. For years, Flame evaded detection by masquerading as a Microsoft software update. Flame creates its own backdoor, operates like a Trojan, and replicates across the local network and removable media like a worm. Flame contains many different libraries for compression (zlib, libbz2, and ppmd), for encryption (five methods total), for database manipulation (sqlite3), and a Lua virtual machine. The virtual machine is included to integrate components of Flame with C and C++ code on the host machine. Flame also contains local databases with nested SQL queries, Windows Incident Management scripting, batch scripting, and other features.

Flame set the precedent for the typical espionage malware capabilities. Flame can log keystrokes, it can activate microphones to capture audio, it can activate cameras to capture video, it can extract geolocation data from images, and it can screenshot the display. Recorded data is compressed via a public-source library and periodically sent through the malware operator’s C&C infrastructure through a covert SSL channel. Other data is similarly exfiltrated. Flame is unique (at least for 2012) in that it can activate and use Bluetooth wireless to send and receive commands and data. Through Bluetooth, infected machines can be turned into beacons or used to detect nearby Bluetooth enabled devices. Like Stuxnet malware, Flame malware can infect other systems on the network through shared connections such as printers. Flame can also spread to air-gapped networks via a USB drive.

The malware detects the antivirus on the host system and configures its modules and file names so that it has the greatest probability of remaining undetected. The malware also protects its modules with READ, WRITE, and EXECUTE permissions to make them inaccessible to user-made applications. Flame employed fake Microsoft licensing certificates to make discovered modules appear legitimate. Finally, Flame includes a Kill module that discretely removes the malware from infected systems. After public disclosure of the malware, the operators sent the kill command and removed the malware from many high profile hosts; thereby obfuscating the actual breadth of the campaign.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google