Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

ID: S0143
Associated Software: Flamer, sKyWIper
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 12 October 2022

Associated Software Descriptions

Name Description

[1] [2]


[1] [3]

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Flame can record audio using any existing hardware recording devices.[1][4]

Enterprise T1547 .002 Boot or Logon Autostart Execution: Authentication Package

Flame can use Windows Authentication Packages for persistence.[3]

Enterprise T1136 .001 Create Account: Local Account

Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[1][4]

Enterprise T1011 .001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[2]

Enterprise T1210 Exploitation of Remote Services

Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.[1][4]

Enterprise T1091 Replication Through Removable Media

Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.[1]

Enterprise T1113 Screen Capture

Flame can take regular screenshots when certain applications are open that are sent to the command and control server.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Flame identifies security software such as antivirus through the Security module.[1][4]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Rundll32.exe is used as a way of executing Flame at the command-line.[3]

ICS T0811 Data from Information Repositories

Flame has built-in modules to gather information from compromised computers. [5]

ICS T0882 Theft of Operational Information

Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. [5]