Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Gauss Attack Toolkit Targeting Lebanese Banks Related to Stuxnet, Flame

Gauss: “Nation-state cyber-surveillance meets banking Trojan”

Researchers at Kaspersky Lab have uncovered what they believe is another nation-state sponsored cyber-espionage toolkit designed to steal data from individuals in the Middle East.

Gauss: “Nation-state cyber-surveillance meets banking Trojan”

Researchers at Kaspersky Lab have uncovered what they believe is another nation-state sponsored cyber-espionage toolkit designed to steal data from individuals in the Middle East.

Dubbed Gauss, the latest toolkit steals passwords, banking credentials, and browser cookies from browsers, Kaspersky Lab researchers said on Thursday. Built on the same platform as Flame and sharing module structures, code bases, and means of communication with command and control servers, Gauss was created almost certainly by the same team responsible for Flame, said Vitaly Kamluk, head of the Global Research and Analysis Team at Kaspersky Lab, during a press conference Thursday morning.

Gauss MalwareResearchers believe that like Stuxnet, Flame was the work of a state-sponsored group. The creators of Gauss also worked with Stuxnet in the early stages, Kamluk said. Gauss also exploited the same LNK vulnerability as Stuxnet to infect USB drives. Researchers have not yet been able to determine what vulnerabilities it is exploiting or how it initially infects a new machine, Kamluk said.

“After looking at Stuxnet, [the lesser cybeweapon] Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,’” according to a post on Kaspersky Lab’s Securelist blog.

Despite the common elements, there were several differences between Gauss and its earlier relatives. While designed to steal information, Gauss was primarily focused on stealing banking information from several Lebanese banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. Citibank and PayPal users were also targeted.

“This is the first time we’ve seen a direct link between state-sponsored cyber-espionage tools and stealing bank credentials,” Kamluk said.

The actual targets, while still in the Middle East, are also different. Kaspersky has detected more than 2,500 infections in May, with the majority of the infections on personal computers in Lebanon. There were a bulk of infected machines in Israel and Palestine, and some infections in nearby Saudi Arabia, Qatar and United Arab Emirates, but the focus was clearly on Lebanon.

Nearly half of the victims were running Windows 7, followed by Windows XP, Kamluk said. A small number of Vista users and those running other operating systems were also infected.

Advertisement. Scroll to continue reading.

Kaspersky Lab

Like many other types of malware, Gauss also collects configuration information of the infected machine, such as network interfaces, the computer’s drives, and BIOS information. However, the payload Gauss delivers is encrypted using a key that’s derived from the information collected from the infected machine. Researchers haven’t yet managed to decrypt the file, according to Kaspersky Lab.

The main module, which has data-stealing capabilities, appears to be named after German mathematician Johann Carl Friedrich Gauss, according to Kaspersky Lab. Other components are also named after other famous mathematicians, including Joseph-Louis Lagrange and Kurt Godel. Godel may have Stuxnet-like capabilities targeting industrial control systems.

Researchers uncovered Gauss in June while it was analyzing Flame. It appears Gauss was used beginning in September last year. The C&C infrastructure was shut down in July, so the infected machines have been lying dormant with no server to connect to.

Gauss is the latest attack tool specifically designed by nation-states or government-sponsored groups to target foreign governments. Stuxnet was the first to be discovered, and was designed to compromise physical equipment in an Iranian nuclear facility. Duqu was an information-stealing malware targeting a broader set of targets and believed to be developed by the Stuxnet team. Flame, discovered earlier this year, forged Microsoft digital certificate in order to impersonate a Windows Update server to spread.

Gauss is similar to the rest of the family in another respect that it is targeting the Middle East. Stuxnet attacked Iran’s nuclear facilities, while Flame infected hundreds of individuals in Iran and other parts of the Middle East.

The “Middle East is turning into an epicenter for complex global cyber attacks,” Kamluk said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...