Home Malware Programs Malware Flowershop Malware

Flowershop Malware

Posted: April 11, 2019

The Flowershop Malware is a Trojan framework that facilitates the delivery of commands to related backdoor Trojans and other data-passing activities. Its history has strong ties to estimates of state-sponsored activity against Middle Eastern targets as a precursor or enabler of Stuxnet. Users should protect their PCs by keeping anti-malware software available for identifying the limited symptoms of an infection and removing the Flowershop Malware's components.

Trojans in Bloom Throughout Arabia

Stuxnet, the industrial sector-sabotaging worm, may have had its infrastructure in development for even longer than cyber-security experts have thought. Crucial signature details provided by the Shadow Brokers hacking group, along with advancements in YARA detection metrics, are uncovering another framework that could be a predecessor or a secondary structure overlapping with the simultaneous running of Stuxnet's other components. This threat, the Flowershop Malware, is named from the repeated references to flowers in its domain names.

The Flowershop Malware shares some critical elements with the Stuxshop variant of Stuxnet. These traits include highly-specific infection marker queries, proxy settings checks, and a function that identifies what version of the operating system the infected system uses. The incredibly high resemblance and specificity of this code all but confirms that the threat actors coding and maintaining the Flowershop Malware have had privileged access to Stuxnet, as well. It's also likely that the Flowershop Malware supports a 'killswitch' functionality that could disable infections, in the absence of prerequisite C&C communications.

The overarching group of threat actors managing both the Flowershop Malware and related threats, such as the Stuxnet campaign, are being referenced in the cyber-security community as Gossip Girl. Other entities with links to the same group include the Equation Malware, which is supposedly a byproduct of the US NSA, and Duqu, a spyware program that also reuses some of the Stuxnet worm's code. A consistent theme with all of these separate threats is their targeting Middle Eastern entities, although the Flowershop Malware is one of the most successful at remaining covert, with many years of avoiding detection by the cyber-security industry's rulesets.

Wilting a Garden of Trojan Attacks

The Flowershop Malware's old campaigns are more relevant to the security concerns of government networks and specialized businesses, such as the energy sector, than they are to average PC owners. However, leaks from the Shadow Brokers suggest that there is a concern of the Flowershop Malware, or other threats in the same umbrella, being hijacked and misused by other threat actors. Regardless of how an attacker uses it, a Flowershop Malware infection is a high-level security risk to the compromised system.

The Flowershop Malware is, like any state-based threat, highly covert and avoids symptoms that would give away its existence, ordinarily. However, appropriate security software may detect infections by searching for specific registry entries, files, and other identifiers of its Trojans. Professional-quality and updated anti-malware products should remove the Flowershop Malware, although disabling network connectivity while disinfecting the PC is highly recommended as a precaution against its communicative features.

The Flowershop Malware is an exciting old-but-new chapter for analyzing threats, and Gossip Girl shows all cues of continuing providing fodder for future analyses. However, it may be hard work finding samples, given their willingness for revamping software and emphasizing concealment above all else.

Loading...