Flame 2.0 spyware found using strong encryption algorithm to avoid detection
- This new sample had first appeared in 2014 and likely remained active until 2016.
- The researchers had managed to find Flame 2.0 using YARA rules.
Researchers have uncovered a new variant of Flame spyware recently. This new sample had first appeared in 2014 and likely remained active until 2016.
What does the research say - Researchers at Alphabet’s Chronicle Security found that the operators behind the Flame spy malware had simply modified the code and added a strong encryption algorithm to make it harder for detection.
“Nobody ever expected to see Flame again. We figured it was too old and expensive [for the attackers] to waste time retooling rather than … just build a whole new platform,” said Juan-Andres Guerrero-Saade, one of the Chronicle security researchers, MotherBoard reported.
The researchers had managed to find Flame 2.0 using YARA rules. They crafted the YARA rules to search the VirusTotal archive for anything resembling Flame and found files that had been submitted by someone in late 2016. At that time, none of the antivirus scanners on the website were able to detect the files as malicious.
About Flame spyware - Flame, which is believed to be have been created by Israel, was the first modular spy platform discovered in the wild. It included a lot of capability that was unique at the time of its discovery. It used a highly sophisticated technique to spread into victims’ machines.
For this, the attackers first tricked Microsoft into issuing them a legitimate Microsoft certificate. This enabled them to distribute the malware by disguising it as real patches and software updates under the legitimate Microsoft certificate.
During the infection process, the malware used a total of 80 command-and-control domains to communicate with a C2 server.
The developers behind the Flame 2.0 have used a strong encryption algorithm, which the Chronicle researchers so far haven’t cracked. As a result, it is unknown as what can the new variant do once it infects machines.