Security Experts:

Connect with us

Hi, what are you looking for?



Kaspersky Looks for Help Deciphering Gauss Malware

Researchers at Kaspersky Lab are asking for help peeling back the layers covering a mysterious payload of the Gauss malware.

Researchers at Kaspersky Lab are asking for help peeling back the layers covering a mysterious payload of the Gauss malware.

Speculated to be linked to Flame, Gauss was revealed last week to be the latest piece of cyber-espionage malware targeting the Middle East. Primarily hitting users in Lebanon, Gauss steals data about the infected machine as well as information from browsers, such as the history of visited websites and user passwords. In addition, it targets financial information from clients of several Lebanese banks, as well as Citibank and PayPal – possibly making it the first publicly known state-sponsored banking Trojan, Kaspersky has said. 

Gauss Payload“Perhaps the most interesting mystery is Gauss’ encrypted warhead,” according to Kaspersky. “Gauss contains a module named “Godel” that features an encrypted payload. The malware tries to decrypt this payload using several strings from the system and, upon success, executes it.”

“Despite our best efforts, we were unable to break the encryption,” the firm said in a blog post. “So today we are presenting all the available information about the payload in the hope that someone can find a solution and unlock its secrets. We are asking anyone interested in cryptology and mathematics to join us in solving the mystery and extracting the hidden payload.”

The encrypted payload hits systems through infected USB sticks. The USB keys have two files with several encrypted sections that are loaded onto target computers using the same LNK vulnerability exploited by Stuxnet. The primary goal of these files is to swipe information about the compromised computer and write it back to a file on the driver known as ‘.thumbs.db’, Kaspersky explained.

Several known versions of the files contain three encrypted sections – .exsdat, .exrdat and .exdat. The files also contain an encrypted resource ‘100’ that appears to be the actual payload. It is believed the section ‘.exsdat’ contains the code for decrypting the resource.

“The decryption key for these sections is generated dynamically and depends on the features of the victim system, preventing anyone except the designated target(s) from extracting the contents of the sections,” the company noted.

According to researchers, the resource section is big enough for Stuxnet-like SCADA attack code.

“We have tried millions of combinations of known names in %PROGRAMFILES% and Path, without success,” the company said. “The check for the first character of the folder in %PROGRAMFILES% indicates that the attackers are looking for a very specific program with the name written in an extended character set, such as Arabic or Hebrew, or one that starts with a special symbol such as “~”.”

 “We are providing the first 32 bytes of encrypted data and hashes from known variants of the modules,” the company added. “If you are a world class cryptographer or if you can help us with decrypting them, please contact us by e-mail: [email protected]

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.