Mini Flame Ignites a Flicker but Is No Wildfire
“Mini Flame”, detected by Trend Micro as BKDR_FLAMER.SMA is the latest espionage tool to hit the threat landscape. But a closer look reveals that BKDR_FLAMER.SMA does not differ largely from malicious tools like PlugX and PoisonIvy.
Because of its similarities to the Flame malware, this new tool was dubbed “mini flame”. Flame made headlines early this year because of its connection to the notorious Stuxnet and was noted for its information stealing techniques.
Based on our analysis, BKDR_FLAMER.SMA like any other backdoor, connects to specific server to communicate to a remote user. It is capable of executing malicious commands, which includes downloading and uploading files, creating processes and invoking sleep command among others.
Its capabilities, however, do not differ from other remote tools we have seen previously such as PlugX and its predecessor PoisonIvy. PlugX is the latest Remote Access Tool (RAT) used by the same people behind the PoisonIvy campaign that has started as early as 2008. It features noteworthy backdoor modules, enabling a remote attacker to copy, remove, rename or delete files and capture video and screenshots. PlugX also drops a debug log file, which documents error codes that a remote attacker may use to improve future versions.
Mini Flame, as much as it presents serious security concerns, is hardly a threat to common users. Our own findings and media reports indicate that mini flame appears to be a highly specific attack. Trend Micro, with its Smart Protection Network™, detects and deletes this malware if found on user’s system.