Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

ID: S0143
Associated Software: Flamer, sKyWIper

Platforms: Windows

Version: 1.0

Associated Software Descriptions

Flamer[1] [4]
sKyWIper[1] [3]

Techniques Used

EnterpriseT1123Audio CaptureFlame can record audio using any existing hardware recording devices.[1][2]
EnterpriseT1131Authentication PackageFlame can use Windows Authentication Packages for persistence.[3]
EnterpriseT1136Create AccountFlame can create backdoor accounts with the login "HelpAssistant" with the Limbo module.[1][2]
EnterpriseT1011Exfiltration Over Other Network MediumFlame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[4]
EnterpriseT1210Exploitation of Remote ServicesFlame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.[1][2]
EnterpriseT1091Replication Through Removable MediaFlame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using autorun functionality.[1]
EnterpriseT1085Rundll32Rundll32.exe is used as a way of executing Flame at the command-line.[3]
EnterpriseT1113Screen CaptureFlame can take regular screenshots when certain applications are open that are sent to the command and control server.[1]
EnterpriseT1063Security Software DiscoveryFlame identifies security software such as antivirus through the Security module.[1][2]