Gauss Espionage Malware: 7 Key Facts

  /     /     /  
Publicated : 22/11/2024   Category : security


Gauss Espionage Malware: 7 Key Facts


From targeting Lebanese banking customers to installing a font, security researchers seem to be unearthing as many questions as answers in their teardown of the surveillance malware.



What secrets does the newly discovered Gauss malware hide?
At a high level, Moscow-based Kaspersky Lab, which Thursday announced its
discovery of Gauss
, believes it is a nation state sponsored banking Trojan, built using a code base thats related to Flame, and by extension Duqu and Stuxnet.
But the ongoing analysis of Gauss has yet to uncover the answers to numerous questions. For starters, as
noted by Symantec
, banking credentials are not a typical target for cyber espionage malware of this complexity.
With that in mind, here are seven oddities and unanswered questions surrounding Gauss:
1. Malware Eavesdropped On Lebanon
Whoever heard of malware that came gunning for residents of Lebanon? Kaspersky said that by July 31, 2012, it had counted 2,500 unique PCs as being infected by Gauss since May, and traced 1,600 of those infections to PCs in Lebanon. The next most-infected countries were Israel (483 PCs infected), the Palestinian Territory (261), the United States (43), the United Arab Emirates (11), and Germany (5).
2. Espionage Malware Targeted Banks
According to
Kasperskys teardown of Gauss
, the malware didnt just target Lebanon, but specific bank customers. The Gauss code (winshell.ocx) contains direct commands to intercept data required to work with Lebanese banks--including the Bank of Beirut, Byblos Bank, and Fransabank, it said. But the
malware also targeted
users of Credit Libanais. Citibank, and eBays PayPal online payment system.
In other words, Gauss may be the first known malware to have been commissioned by a nation state to spy on online banking customers. Then again, Jeffrey Carr, CEO of cyber risk management firm Taia Global,
told Reuters
that Lebanese banks have long been watched by U.S. intelligence agencies for their role in facilitating payments to drug cartels and extremist groups. Youve got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah? he said.
3. Malware Module May Hide Stuxnet Warhead
Another curiosity: Kaspersky researcher Roel Schouwenberg said the Godel module found in Gauss may also include a Stuxnet-like warhead able to damage industrial control systems, reported Reuters.
4. But Gauss Avoided Stuxnet Mistakes
Gauss managed to avoid detection for over a year, by not infecting enough PCs to have been spotted by security firms. For comparison purposes, Gauss is known to have infected 2,500 PCs, compared with 700 for
Flame
, and just 20 for
Duqu
.
Stuxnet
, meanwhile, infected over 100,000 PCs, although security experts suspect that its creators--believed to be the United States, working with Israel--
lost control of the malware
due to a programming error, which let the malware spread outside of the single Iranian nuclear facility that it was meant to infect.
5. Banking Malware Prolific--For Targeted Attack
But the 1,600 Gauss infections--80 times the number seen for Duqu--place the malware in curious territory. This is an uncharacteristically high number for targeted attacks similar to Duqu--its possible that such a high number of incidents is due to the presence of a worm in one of the Gauss modules that we still dont know about, according to Kaspersky Lab. However, the infections have been predominantly within the boundaries of a rather small geographical region, meaning that the malware is apparently only being used for targeted attacks, and carefully controlled.
6. USB Key Attack Code Copies Targeted Data
On a related note, Kaspersky said that Gauss is compatible with 32-bit Windows systems, although there is a separate spy module that operates on USB drives ... and is designed to collect information from 64-bit systems. Interestingly, the malware installs a compressed, encrypted attack application onto USB drives, which only activates when it finds a targeted system.
The spy module that works on USB drives uses an .LNK exploit ... [that is] similar to the one used in the Stuxnet worm, but it is more effective, according to Kaspersky Lab. The module masks the Trojans files on the USB drive without using a driver. It does not infect the system: information is extracted from it using a spy module (32- or 64-bit) and saved on the USB drive.
According to Symantec, the USB attack code would be quite difficult to spot. Some sections of the payload binary that spreads to USB devices are RC4 encrypted with keys generated to target specific computers, it said, referencing the
RC4 software stream cipher
. The underlying data has yet to be decrypted in these payloads.
7. Attack Code Installs Font
A substantial amount of Gauss analysis remains, before the design of its modules--or even how it goes about infecting systems--can be fully understood. In particular, the infection vector is currently unknown, according to Symantec.
Another mystery is the Gauss module dubbed Lagrange, which--as Symantec put it--curiously installs a font called Palida Narrow. The custom TrueType font appears to contain valid Western, Baltic, and Turkish symbols, according to Kaspersky. Why create custom fonts for malware? So far, thats just one more outstanding and unusual Gauss question that remains unanswered.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Gauss Espionage Malware: 7 Key Facts