An information-stealing backdoor module of the infamous Flame and Guass trojans has been detected on a small number of high-profile machines, according to security researchers.
It targeted between 50 to 60 of the thousands of machines already infected by the Flame and Gauss espionage malware across the Middle East.
The backdoor, dubbed MiniFlame or SPE, could capture screenshots during execution of programs including Microsoft Office, Adobe Reader or instant messenger, and use USB drives to exfiltrate stolen data from offline machines.
It connected to both unique command-and-control servers and those used by Flame, according to Kaspersky researchers.
Senior researcher Roel Schouwenberg told SC MiniFlame gave attackers continued access to targets.
“MiniFlame really serves as a backdoor,” Schouwenberg said.
“Meanwhile, Flame and Gauss were about data and information gathering. MiniFlame gives more direct access to a target machine.”
Kaspersky published an anaylsis of Flame's command-and-control servers last month where it discovered an in-the-wild Flame variant, now thought to be one of several MiniFlame strains infecting machines.
So far, Kaspersky researchers have discovered six strains of MiniFlame malware. They believe development began as far back as 2007. Variations of the malware have been detected in Iran, Kuwait, Qatar, Lebanon and Palestine.
In a Monday blog post, Symantec also confirmed that it discovered an additional module of Flame that could operate independently of the malware.
“The samples appear to have remained unobserved for so long due to their highly targeted nature; however one more of those protocols has been identified and found to be in use,” said the blog post. “That protocol is for a module that can operate independently of [Flame].”
Flame and Gauss are believed to be creations of the United States.
In the blog post, Kaspersky said that the discovery of MiniFlame uncovers more details about the highly orchestrated spy campaigns, but that a lot more remains to be seen.
“With Flame, Gauss and MiniFlame, we have probably only scratched the surface of the massive cyber-spy operations in the Middle East,” the post said. “Their true, full purpose remains obscure, and the identity of the victims and attackers remain unknown.”