Sign up for our newsletter
Technology / Cybersecurity

More state-sponsored malware targeting Middle East discovered

Another piece of malware capable of cyber espionage has been discovered targeting organisations in the Middle East – and it looks like it was created by the same people behind Stuxnet and Flame.

Gauss, Flame, Stuxnet, Duqu malware

The malware, called Gauss, was discovered by Kaspersky Lab during their investigations into the data-gathering Flame malware.

According to their research it is primarily targeting backing institutions in Lebanon and is capable of spying on financial transactions as well as email and social network activity. Intriguingly Kaspersky said Gauss also, "includes an unknown, encrypted payload which is activated on certain specific system configurations." Kaspersky has yet to get to the bottom of this element of Gauss.

White papers from our partners

As well as stealing banking, email and social network information, Kaspersky says Gauss can intercept browser cookies and passwords, send information about the systems it has infected to whoever created it, infect USBs and steal data from them and provide the attackers with a list of system files and folders.

In terms of what the banking element does, Kaspersky says it is unsure at the moment whether Gauss is actively stealing money or just monitoring what goes in and out of the accounts.

"The presumption is that the attackers are interested in profiling the victims and their computers. Banking credentials, for instance, can be used to monitor the balance on the victim’s accounts – or, they can be used to directly steal money," the company explained.

"We believe the theory that Gauss is used to steal money which is used to finance other projects such as Flame and Stuxnet is not compatible with the idea of nation-state sponsored attacks," Kaspersky said.

The different modules with Gauss are named after famous mathematicians and philosophers such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange. Kaspersky has given it the name Gauss as that is the most important part of the malware – the part the implements the data stealing components.

Kaspersky reckons it was first deployed around August or September 2011, a fact which actually provides further details about who is behind it. It first emerged around the time Duqu was publicly revealed and Kaspersky has suggested that whoever was behind Duqu switched to Gauss once its existence was known.

"We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu," Kaspersky said on its blog.

"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’," the blog added.

"Gauss’ highly modular architecture reminds us of Duqu — it uses an encrypted registry setting to store information on which plugins to load; is designed to stay under the radar, avoid security and monitoring programs and performs highly detailed system monitoring functions," Kaspersky explained.

Since its discovery Gauss has seen around 2,500 infected machines but believes the true number of victims to be in the tens of thousands.

If Gauss was indeed created by the same nation-state as Stuxnet and Flame, then it is another example of the growing use of cyber attacks by the US government. Stuxnet attacked Iran’s nuclear facilities by infecting the computers that controlled centrifuges, which it crippled by making spin around at great velocity.

More recently was Flame, which was dubbed the most sophisticated piece of malware ever discovered. It was primarily a spying tool and gathered information from emails, documents and even instant message conversations.
This article is from the CBROnline archive: some formatting and images may not be present.