Security Experts:

Gauss Attack Toolkit Targeting Lebanese Banks Related to Stuxnet, Flame

Gauss: "Nation-state cyber-surveillance meets banking Trojan"

Researchers at Kaspersky Lab have uncovered what they believe is another nation-state sponsored cyber-espionage toolkit designed to steal data from individuals in the Middle East.

Dubbed Gauss, the latest toolkit steals passwords, banking credentials, and browser cookies from browsers, Kaspersky Lab researchers said on Thursday. Built on the same platform as Flame and sharing module structures, code bases, and means of communication with command and control servers, Gauss was created almost certainly by the same team responsible for Flame, said Vitaly Kamluk, head of the Global Research and Analysis Team at Kaspersky Lab, during a press conference Thursday morning.

Gauss MalwareResearchers believe that like Stuxnet, Flame was the work of a state-sponsored group. The creators of Gauss also worked with Stuxnet in the early stages, Kamluk said. Gauss also exploited the same LNK vulnerability as Stuxnet to infect USB drives. Researchers have not yet been able to determine what vulnerabilities it is exploiting or how it initially infects a new machine, Kamluk said.

"After looking at Stuxnet, [the lesser cybeweapon] Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" according to a post on Kaspersky Lab's Securelist blog.

Despite the common elements, there were several differences between Gauss and its earlier relatives. While designed to steal information, Gauss was primarily focused on stealing banking information from several Lebanese banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Citibank and PayPal users were also targeted.

"This is the first time we've seen a direct link between state-sponsored cyber-espionage tools and stealing bank credentials," Kamluk said.

The actual targets, while still in the Middle East, are also different. Kaspersky has detected more than 2,500 infections in May, with the majority of the infections on personal computers in Lebanon. There were a bulk of infected machines in Israel and Palestine, and some infections in nearby Saudi Arabia, Qatar and United Arab Emirates, but the focus was clearly on Lebanon.

Nearly half of the victims were running Windows 7, followed by Windows XP, Kamluk said. A small number of Vista users and those running other operating systems were also infected.

Kaspersky Lab

Like many other types of malware, Gauss also collects configuration information of the infected machine, such as network interfaces, the computer's drives, and BIOS information. However, the payload Gauss delivers is encrypted using a key that's derived from the information collected from the infected machine. Researchers haven't yet managed to decrypt the file, according to Kaspersky Lab.

The main module, which has data-stealing capabilities, appears to be named after German mathematician Johann Carl Friedrich Gauss, according to Kaspersky Lab. Other components are also named after other famous mathematicians, including Joseph-Louis Lagrange and Kurt Godel. Godel may have Stuxnet-like capabilities targeting industrial control systems.

Researchers uncovered Gauss in June while it was analyzing Flame. It appears Gauss was used beginning in September last year. The C&C infrastructure was shut down in July, so the infected machines have been lying dormant with no server to connect to.

Gauss is the latest attack tool specifically designed by nation-states or government-sponsored groups to target foreign governments. Stuxnet was the first to be discovered, and was designed to compromise physical equipment in an Iranian nuclear facility. Duqu was an information-stealing malware targeting a broader set of targets and believed to be developed by the Stuxnet team. Flame, discovered earlier this year, forged Microsoft digital certificate in order to impersonate a Windows Update server to spread.

Gauss is similar to the rest of the family in another respect that it is targeting the Middle East. Stuxnet attacked Iran's nuclear facilities, while Flame infected hundreds of individuals in Iran and other parts of the Middle East.

The "Middle East is turning into an epicenter for complex global cyber attacks," Kamluk said.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter