Skip to content

S0143 Flame

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. 1

Item Value
ID S0143
Associated Names Flamer, sKyWIper
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Flamer 1 2
sKyWIper 1 3

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Flame can record audio using any existing hardware recording devices.14
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.002 Authentication Package Flame can use Windows Authentication Packages for persistence.3
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available.14
enterprise T1011 Exfiltration Over Other Network Medium -
enterprise T1011.001 Exfiltration Over Bluetooth Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.2
enterprise T1210 Exploitation of Remote Services Flame can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.14
enterprise T1091 Replication Through Removable Media Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.1
enterprise T1113 Screen Capture Flame can take regular screenshots when certain applications are open that are sent to the command and control server.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Flame identifies security software such as antivirus through the Security module.14
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Rundll32.exe is used as a way of executing Flame at the command-line.3

References

Back to top