Malware called Gyges, developed by the Russian intelligence service, has been leaked to cyber-criminals and has also been incorporated into ransomware and online banking Trojan toolkits, threat analysis company Sentinel Labs has claimed.
Gyges mainly targets Windows 7 and 8 users running 32 and 64-bit versions of the platforms.
What makes this sophisticated piece of malware worse is that it is virtually invisible and capable of operating undetected for long periods of time. Plus it also seems to have the stamp of a state.
However, Sentinel Labs’ research added that with constant monitoring on endpoints, it does become difficult for the otherwise "invisible" malware to hide or evade detection.
In his research paper, Udi Shamir, head of research at Sentinel Labs, said: "We first detected Gyges with our heuristic sensors and then our reverse engineering task force performed an in-depth analysis.
"It appears to originate from Russia and be designed to target government organisations. It comes to us as no surprise that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands."
A notable fact about Gyges is that it uses less intrusive techniques and strikes when a user is inactive, in contrast to the more common technique of waiting for user activity.
Sentinel recovered government traces inside the carrier code, which it later connected to previous targeted attacks that used the same characteristics.
"At this point it became clear that the carrier code was originally developed as part of an espionage campaign," Shamir said.
Gyges code can be used for eavesdropping on network activities, key logging, stealing user identities, screen capturing and other espionage techniques, as per the research analysis.
The team also claims that Gyges can be used for money extortion via hard drive encryption (ransomware) and online banking fraud. It can also install rootkits and trojans, create botnets and zombie networks, and target critical infrastructure.
