‘Flame’ Malware Used Massive Web of Fake Identities and Websites
The attackers behind the complex Flame cyberespionage toolkit, believed to be a state-sponsored operation, used an extensive list of fake identities to register at least 86 domains, which they used as part of their command-and-control center, according to researchers at Russia-based antivirus firm Kaspersky Lab.
Kaspersky says the size of the command-and-control infrastructure, which appears to have been still partially active a few days ago even after the operation was publicly exposed, exceeds anything they’ve seen before.
“The huge amount of fake domains and fake identities used to run this infrastructure is pretty much unprecedented and unlike any other malware that we have seen before,” said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. “In my opinion, it’s an indication of the huge resources which went into this project.”
Many of the domains, set up as early as 2008 in some cases and as late as April this year, were registered with the GoDaddy registrar service, and used fake addresses in Germany and Austria, with Vienna being a particularly popular choice for the attackers, according to research done by Kaspersky. A lot of the addresses tracked to places like hotels, medical offices, and shops. At least one address was for the British library in Paris and shops. Other addresses did not appear to exist at all.
The domains pointed to 24 IP addresses, at various times, that were located in Germany, Poland, Malaysia, Latvia, Switzerland, Turkey, the Netherlands, Hong Kong and other places.