More Flame/sKyWIper CNC Behavior Uncovered

When news of the Flame/SkyWiper malware hit the headlines last month, the world went into a frenzy. Flame was immediately hailed as the world’s most sophisticated malware. While security researchers will surely be talking about Flame for years to come, FireEye has since made another discovery regarding Flame’s command and control (CNC) behavior: it appears that the Flamer/sKyWIper malware’s callback has recently changed.

Specifically, we have evidence that the malware is likely proxy-aware and can tunnel its callback traffic over SSL to the attacker’s CNC infrastructure. 

 

Screenshot of possible Flamer/sKyWIper CNC traffic (tunneled)

Figure 1. Screenshot of possible Flamer/sKyWIper CNC traffic (tunneled)

As illustrated in Figure 1, we believe this traffic is associated with the Flamer/sKyWIper CNC communication based on the unique User-Agent header, which is identical to the User-Agent header reported by CrySyS Lab. Upon closer look at the anatomy of the User-Agent string, we find that the .NET version used (.NET CLR 1.1.2150) has never been released by Microsoft. Additionally, based on a search of our internal malware database and different search engines, we are certain that this User-Agent string has never been previously used by any malware. Normally attackers employ unique User-Agent values in their callback communication in order to track different versions of their malware reporting back to their command and control infrastructure. 

Specifically, it appears the compromised endpoint is using the HTTP request method “CONNECT” to upgrade the HTTP connection to HTTPS upon connecting to the enterprise proxy server inside the victim’s organization. The IP:443 after the CONNECT keyword is the actual remote CNC server IP using TCP port 443. By tunneling traffic over SSL through enterprise proxies, this traffic is able to bypass most outbound defenses, including next-generation firewalls and data loss prevention appliances.

Currently, the CNC server mentioned in Figure 1 is not accepting any connections on TCP port 443. It is possible this server was also terminated as part of the attacker’s current effort to shut down all operations. Incidentally, the CNC IP address is a shared server located in Switzerland and is currently hosting 10 other websites. Another thing to note: the infected endpoint that generated this callback traffic was located in Sweden, which is outside the malware’s original target area.

We are closely monitoring Flamer/sKyWIper and will provide additional updates.