1. Home
  2. Software
  3. Flame

Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. [1]

ID: S0143
Associated Software: Flamer, sKyWIper
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Flamer

[1] [2]
sKyWIper

[1] [3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Flame can record audio using any existing hardware recording devices.[1][4]
Enterprise T1547 .002 Boot or Logon Autostart Execution: Authentication Package

Flame can use Windows Authentication Packages for persistence.[3]
Enterprise T1136 .001 Create Account: Local Account

Flame can create backdoor accounts with login "HelpAssistant" on domain connected systems if appropriate rights are available.[1][4]
Enterprise T1011 .001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.[2]
Enterprise T1210 Exploitation of Remote Services

Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.[1][4]
Enterprise T1091 Replication Through Removable Media

Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.[1]
Enterprise T1113 Screen Capture

Flame can take regular screenshots when certain applications are open that are sent to the command and control server.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Flame identifies security software such as antivirus through the Security module.[1][4]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Rundll32.exe is used as a way of executing Flame at the command-line.[3]

References

  1. Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017.
  2. Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017.
  1. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
  2. Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuiceā€¦. Retrieved March 1, 2017.