Software: Flame, Flamer, sKyWIper

From enterprise
Jump to: navigation, search
Flame, Flamer, sKyWIper
Software
ID S0143
Aliases Flame, Flamer, sKyWIper
Type Malware

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.1

Alias Descriptions

  • Flame - 1
  • Flamer - 12
  • sKyWIper - 13

Techniques Used

  • Exfiltration Over Other Network Medium - Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.2
  • Rundll32 - Rundll32.exe is used as a way of executing Flame at the command-line.3
  • Replication Through Removable Media - Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using autorun functionality.1
  • Create Account - Flame can create backdoor accounts with the login "HelpAssistant" with the Limbo module.4
  • Audio Capture - Flame can record audio using any existing hardware recording devices.4
  • Screen Capture - Flame can take regular screenshots when certain applications are open that are sent to the command and control server.1
  • Exploitation of Vulnerability - Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.4