Like its big cousins Flame and Gauss, miniFlame is designed to steal data and control infected machines. However, rather than casting a wide net, it acts as an in-depth tool. Kaspersky estimates that unlike Flame or Gauss, which had high number of infections, the amount of infections for miniFlame is much smaller, falling between 10 and 20 machines now, and accounting for only 50–60 total number of infections worldwide to date.
“The number of infections combined with miniFlame’s info-stealing features and flexible design indicate it was used for extremely targeted cyber-espionage operations, and was most likely deployed inside machines that were already infected by Flame or Gauss,” Alexander Gostev, chief security exper at Kaspersky Lab, said in a research note.
Kaspersky originally found miniFlame in July 2012, and identified it as a Flame module. However, a deeper look has revealed that it is an interoperable tool in its own right, capable of being deployed as an independent malicious program that operates as a backdoor designed for data theft and opening up direct access to infected systems by a remote operator. Additional info-stealing capabilities include making screenshots of an infected computer while it’s running a specific program or application in such as a web browser, Microsoft Office program, Adobe Reader, instant messenger service or an FTP client. Separately, at the request from miniFlame’s command and control operator, an additional data-stealing module can be sent to an infected system that infects USB drives and uses them to store data that’s collected from infected machines without an internet connection.
But, miniFlame can be used as a plug-in for both the Flame and Gauss malware, indicating cooperation between the creators of those two spywares, Kaspersky noted. “Since the connection between Flame and Stuxnet/Duqu has already been revealed, it can be concluded that all these advanced threats come from the same cyber-warfare factory,” Gostev said.
“miniFlame is a high precision attack tool,” said Gostev. “Most likely it is a targeted cyber-weapon used in what can be defined as the second wave of a cyberattack.”
For example, first, Flame or Gauss are used to infect as many devices as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.
Development of miniFlame might have started as early as 2007, Kaspersky said, continuing until the end of 2011, with many variants created. To date, Kaspersky has identified six of these variants, covering two major generations: 4.x and 5.x.