State-sponsored Trojan 'Gauss' targets Lebanese banks and user details

News by Dan Raywood

Kaspersky Lab has announced the discovery of a fresh cyber threat that targets users in the Middle East that is designed to steal credentials, cookies and configurations of infected machines.

Kaspersky Lab has announced the discovery of a fresh cyber threat that targets users in the Middle East that is designed to steal credentials, cookies and configurations of infected machines.

Named ‘Gauss', it claimed that this is a complex, nation-state sponsored cyber espionage toolkit and its online banking Trojan functionality has not been found in any previously known cyber weapons.

Alexander Gostev, chief security expert at Kaspersky Lab, said: “Gauss bears a striking resemblance to Flame, with its design and code base, which enabled us to discover the malicious program.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy; however, its purpose was different than Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

Discovered during investigations into Flame by the International Telecommunications Union (ITU), Kaspersky Lab said its experts discovered Gauss by identifying the commonalities the malicious program shares with Flame. These included similar architectural platforms, module structures, code bases and means of communication with command and control servers (C&C).

The investigation revealed that the first incidents with Gauss date back as early as September 2011, yet ten months later the Gauss C&C servers stopped functioning. Analysis shows it was designed to steal data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. These servers have now been dormant since July 2012.

Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab's cloud-based security system, with tens of thousands estimated victims. This number is lower than that of Stuxnet, but it is significantly higher than the number of attacks of Flame and Duqu. A total of 1,660 unique users have been infected in Lebanon, with 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab claimed that Gauss is designed to collect information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders; and local, network and removable drives.

It also said that it is able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Kaspersky Labs' chief malware expert at the global research and analysis team, Vitaly Kamluk, said that he believed that the Trojan was created by the same people as Flame and it was the first time a nation-sponsored attack was stealing the details of internet banking users.

Regarding similarities to Flame, he said: “There are many similarities, they are related. All of them sharing a common way of infecting machines, as it is through a USB drive, they use the same technique to infect machines that were first used in Stuxnet that were later reused by Flame, so again they are used by Gauss. Both also have C&Cs running Linux and use the same approach with fake SSL certificates and both use registered fake names and addresses that point to hotels or public places. They also both use HTTPS to hide the traffic from being sniffed.”

Kamluk also pointed out that this is the third discovery of a nation-state sponsored cyber attack within 12 months.

In regard to how users are being infected by Gauss, he said: “We don't know the infection vector. It does not spread like Stuxnet, as it is not a worm, also the infection of a USB is a very limited functionality is a special model on stealing information without leaving infection of the user system, it does not stay on the system. It is not self-spreading malware.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews