Intel Security

Attack: “Flame”

On May 27, 2012 industry and media outlets began reporting details on a complex targeted attack known as “Flame” or “Flamer”. In some cases, this same threat was previously described as “Viper” or “Wiper”. This, currently active, attack is multi-faceted and in many ways sets a new precedence for recon and data exfiltration within this attack genre.

Attack Details

Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

  • Scanning network resources
  • Stealing information as specified
  • Communicating with command and control (C&C) servers over SSH and HTTPS protocols
  • Detecting the presence of more than 100 security products (antivirus, antispyware, firewalls, etc.)
  • Using both kerneland user-mode logic
  • Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes Loading as part of Winlogon.exe and then injecting itself into explorer.exe and services
  • Concealing its presence as ~ named temp files, just as Stuxnet and Duqu
  • Attacking new systems via USB flash memory and local networks (spreading slowly)
  • Creating screen captures
  • Recording voice conversations
  • Running on Windows XP, Windows Vista, and Windows 7 systems
  • Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
  • Using SQLite database to store collected information
  • Using custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
  • Often located on nearby systems: a local network for both C&C and target infection cases
  • Uses multiple encryption methods (ex: XOR and RC4)