A major new cyber attack that targets users in the Middle East and Eastern Europe has been uncovered by security researchers in the past few days.
The ‘Win32.Flame' or ‘W32.Flamer' attack shows high levels of complexity, and appears to be engineered to conduct espionage, early reports show.
Researchers say the code for the attack is highly complex, with up to 100 times more code than an average financial malware, is a large file size at 20MB, and is modular in nature, suggesting it may have been developed by several different coders and allowing it to be updated and amended to change tactics.
Unlike previous high profile attacks against the region such as Stuxnet and Duqu, that attacked industrial sites, Flamer appears to have been targeting individuals rather than organisations.
The malware has been detected in the Palestinian West Bank, Hungary, Iran, Lebanon, Russia, Austria, Hong Kong, and the United Arab Emirates, although specific targets have not been fully identified. It is also unclear how many systems may have been infected.
Flamer has a payload that would strongly suggest its use for espionage, as it is able to steal documents, take screenshots of users' desktops, spread via USB drives, disable security vendor products, turn on PC microphones, turn on Bluetooth, intercept network traffic and spread to other systems under certain conditions. The threat may also have the ability to leverage multiple known and patched vulnerabilities in Microsoft Windows, in order to spread across a network.
Flamer also appears to allow the attacker to activate different functions, meaning that the attacker can choose what to do on a target device, and depending on the attack, Flamer also appears to allow the attacker to activate different functions, meaning that the attacker can choose what to do on a target device, and depending on the attack, the malware will appear different in terms of behaviour at different times.
Security companies including Symantec have been able to block Flamer after identifying some of its component parts.
The code for Flamer references another emerging malware threat, codenamed ‘Wiper', because it can wipe data from hard drives, which Iran's National computer Emergency Response Team confirmed was used to attack Iranian oil plants in April. However, there is no hard evidence linking Flamer to Stuxnet or Duqu.
Researchers believe that Flamer has been active for at least two years, and possibly as many as five years.
The complexity of the code, which uses 20 times more code than Stuxnet, and its modular nature, suggests that it may have been developed over time by several different groups, and the volume of code may indicate that it is an early generation malware. Symantec said in a security alert that "this code was not written by a single individual but by an organised well funded group of personnel with directives."
Alexander Gostev, chief security expert at Kaspersky Lab, commented: "The preliminary findings of the research, conducted upon an urgent request from ITU, confirm the highly targeted nature of this malicious program. One of the most alarming facts is that the Flame cyber-attack campaign is currently in its active phase, and its operator is consistently surveilling infected systems, collecting information and targeting new systems to accomplish its unknown goals."