Flame, the nation-state-developed malware kit that targeted computers in Iran, went quiet after researchers exposed it in 2012. The attackers tried to hide their tracks by scrubbing servers used to talk to infected computers. Some thought they had seen the last of the potent malware platform.
Flame’s disappearance “never sat right with us,” said Juan Andres Guerrero-Saade and Silas Cutler, researchers with Alphabet’s Chronicle. On Tuesday at the Kaspersky Security Analyst Summit in Singapore, they showed that Flame hadn’t died, it had just been reconfigured.
Tracing early components of Flame, Guerrero-Saade and Cutler found a new version of it that was likely used between 2014 and 2016. Flame 2.0 is “clearly built” from the original source code, but it has new measures aimed at eluding researchers, they wrote in a paper.
The discovery shows how good source code dies hard, and that tracking its evolution can be a very long game for researchers.
Flame wasn’t your average malware. Guerrero-Saade and Cutler described it as “one of the seminal modular platforms” in the flexibility it gave the attackers to go after different systems. That functionality is a staple of modern nation-state hacking kits, they added.
Flame offered its operators a lot of visibility onto machines it infected. Its modules, Guerrero-Saade and Cutler explained, “gather system information, beacon to nearby bluetooth devices, implement network replication, propagate to other machines or removable media, create backdoor accounts, and much more.”
Researchers have drawn links between Flame, another malware group dubbed Duqu, and Stuxnet, the famous computer worm that the U.S. and Israel reportedly developed and that destroyed centrifuges at an Iranian nuclear facility in 2009.
An early component of Stuxnet has ties to an older malware framework known as Flowershop, according to Guerrero-Saade and Cutler. That framework was active as early as 2002, suggesting “that yet another team with its own malware platform was involved in the early development of Stuxnet,” they wrote.
Guerrero-Saade and Cutler’s discovery notwithstanding, much of Flame 2.0 remains a mystery. Some of the malicious platform’s capabilities are still unknown, they said, because they couldn’t decode modules embedded on a virtual machine.
And so Guerrero-Saade and Cutler appealed for help from other researchers.
“We hope that releasing these indicators at an early stage in our research process will encourage collaboration from the threat intelligence community,” they said.