A new, highly sophisticated malware threat that was predominantly used in cyberespionage attacks against targets in the Middle East has been identified and analyzed by researchers from several security companies and organizations.
According to the Iranian Computer Emergency Response Team (MAHER), the new piece of malware is called Flame and might be responsible for recent data loss incidents in Iran. There are also reasons to believe that the malware is related to the Stuxnet and Duqu cyberespionage threats, the organization said on Monday.
Malware researchers from antivirus firm Kaspersky Lab have also analyzed the malware and found that while it is similar to Stuxnet and Duqu in terms of the geographic propagation and targeting, it has different features and it is, in many ways, more complex than both of those threats.
Flame, as the Kaspersky researchers call it, is a very large attack toolkit with many individual modules. It can perform a variety of malicious actions, most of which are related to data theft and cyberespionage.
Among other things, it can use a computer's microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic, and communicate with nearby Bluetooth devices.
One of the toolkit's first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.
Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB, and one file in particular measures over 6MB alone, Kamluk said.
Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that's highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn't seen any malware samples before Flame that were written in the language, Kamluk said.
Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.
The Kaspersky researchers haven't found any evidence of an unknown (0-day) vulnerability being exploited by this malware, but Flame is known to have infected a fully patched Windows 7 computer, so they don't completely exclude the possibility, Kamluk said.
When infecting computers that are protected by antivirus programs, Flame avoids performing certain actions or executing malicious code that might trigger a proactive detection from those security applications. This is one of the reasons that the malware flew under the radar for so long, Kamluk said.
By checking the data from its worldwide network of malware sensors, Kaspersky Lab has managed to identify current and past Flame infections in the Middle East and Africa, predominantly in countries like Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.