CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Kaspersky Looks for Help Deciphering Gauss Malware

Researchers at Kaspersky Lab are asking for help peeling back the layers covering a mysterious payload of the Gauss malware.

Researchers at Kaspersky Lab are asking for help peeling back the layers covering a mysterious payload of the Gauss malware.

Speculated to be linked to Flame, Gauss was revealed last week to be the latest piece of cyber-espionage malware targeting the Middle East. Primarily hitting users in Lebanon, Gauss steals data about the infected machine as well as information from browsers, such as the history of visited websites and user passwords. In addition, it targets financial information from clients of several Lebanese banks, as well as Citibank and PayPal – possibly making it the first publicly known state-sponsored banking Trojan, Kaspersky has said. 

Gauss Payload“Perhaps the most interesting mystery is Gauss’ encrypted warhead,” according to Kaspersky. “Gauss contains a module named “Godel” that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it.”

“Despite our best efforts, we were unable to break the encryption,” the firm said in a blog post. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload.”

The encrypted payload hits systems through infected USB sticks. The USB keys have two files with several encrypted sections that are loaded onto target computers using the same LNK vulnerability exploited by Stuxnet. The primary goal of these files is to swipe information about the compromised computer and write it back to a file on the driver known as ‘.thumbs.db’, Kaspersky explained.

Several known versions of the files contain three encrypted sections – .exsdat, .exrdat and .exdat. The files also contain an encrypted resource ‘100’ that appears to be the actual payload. It is believed the section ‘.exsdat’ contains the code for decrypting the resource.

“The decryption key for these sections is generated dynamically and depends on the features of the victim system, preventing anyone except the designated target(s) from extracting the contents of the sections,” the company noted.

According to researchers, the resource section is big enough for Stuxnet-like SCADA attack code.

“We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success,” the company said. “The check for the first character of the folder in %PROGRAMFILES% indicates that the attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”.”

Advertisement. Scroll to continue reading.

 “We are providing the first 32 bytes of encrypted data and hashes from known variants of the modules,” the company added. “If you are a world class cryptographer or if you can help us with decrypting them, please contact us by e-mail: [email protected].”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.