Flame, the nation-state-developed malware kit that targeted computers in Iran, has reemerged after going quiet when researchers exposed it back in 2012. The attackers tried to hide their tracks by scrubbing servers used to talk to infected computers. Some thought they had seen the last of the potent malware platform.
Tracing early components of Flame, researchers found a new version of it that was likely used between 2014 and 2016. Flame 2.0 is “clearly built” from the original source code, but it has new measures aimed at eluding researchers.
The discovery shows how good source code dies hard, and that tracking its evolution can be a very long game for researchers.
Researchers uncover new version of the infamous and sophisticated Flame spykit and find code similarities that connect Stuxnet to another threat actor known as Flowershop https://t.co/tIMCV2KoS9
— Kim Zetter (@KimZetter) April 9, 2019
Maor Hizkiev, CTO and co-founder at BitDam:
“The best cybercrime groups, like all successful businesses, are agile, adaptable and cost effective. Without having to “reinvent the wheel” or invest lots of money, they can iterate old attack vectors to evade detection and bypass rule-based security solutions with quick and simple “tweaks.” In this case, reviving a seemingly dormant form of malware by tweaking it with added strong encryption enables the antagonist to spring an attack that its targets aren’t prepared for.
Attackers can modify malware at such a rate and in such an unpredictable way that it is impossible for organisations or individual users to predict what they are going to do next. The only real means of protecting against a mutable attack vector like this is to implement a solution that specialises in detecting content-borne attacks by analysing the file regardless of the meta-data that comprises it, such as sender and IP address. By doing so, organisations can continue to detect and block malicious code and links, even as they change and develop.”