S0143 Flame
Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. 1
| Item | Value |
|---|---|
| ID | S0143 |
| Associated Names | Flamer, sKyWIper |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 12 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Flamer | 1 3 |
| sKyWIper | 1 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | Flame can record audio using any existing hardware recording devices.14 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.002 | Authentication Package | Flame can use Windows Authentication Packages for persistence.2 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.14 |
| enterprise | T1011 | Exfiltration Over Other Network Medium | - |
| enterprise | T1011.001 | Exfiltration Over Bluetooth | Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.3 |
| enterprise | T1210 | Exploitation of Remote Services | Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.14 |
| enterprise | T1091 | Replication Through Removable Media | Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.1 |
| enterprise | T1113 | Screen Capture | Flame can take regular screenshots when certain applications are open that are sent to the command and control server.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Flame identifies security software such as antivirus through the Security module.14 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Rundll32.exe is used as a way of executing Flame at the command-line.2 |
| ics | T0893 | Data from Local System | Flame has built-in modules to gather information from compromised computers. 5 |
| ics | T0882 | Theft of Operational Information | Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. 5 |
References
-
Gostev, A. (2012, May 28). The Flame: Questions and Answers. Retrieved March 1, 2017. ↩↩↩↩↩↩↩↩↩
-
sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018. ↩↩↩
-
Symantec Security Response. (2012, May 31). Flamer: A Recipe for Bluetoothache. Retrieved February 25, 2017. ↩↩
-
Gostev, A. (2012, May 30). Flame: Bunny, Frog, Munch and BeetleJuice…. Retrieved March 1, 2017. ↩↩↩↩
-
Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ↩↩