miniFlame aka SPE: "Elvis and his friends"
In May 2012, a Kaspersky Lab investigation detected a new nation-state cyber-espionage malware, which we named “Flame”. Our research also identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This confirmed there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.
A more in-depth research conducted in June 2012 resulted in the discovery of another nation state-sponsored and previously unknown malware which we named «Gauss». Gauss used a modular structure resembling that of Flame, a similar code base and system for communicating with command-and-control (C&C) servers, as well as numerous other similarities to Flame.
In partnership with Symantec, ITU-IMPACT and CERT-Bund/BSI, we also published our analysis of the Flame Command and Control servers. The analysis showed that the code can understand several communication protocols to talk to different «clients» or malware:
- RedProtocol (mentioned but not implemented)