Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

'Gauss' cyberweapon targeting Middle-Eastern banks, says Kaspersky Lab

Offshoot 'Flame' software monitors Lebanese transactions

Article comments

Cybersleuths at Kaspersky Lab have announced the unmasking of yet another apparently state-sponsored cyber-weapon dubbed ‘Gauss’ which appears to be attacking banks and individuals in a number of Middle-Eastern countries but not, for once, the usual target, Iran.

Kaspersky describes the malware as “a nation state sponsored banking Trojan which carries a warhead of unknown designation,” capable of stealing data from Windows systems and coming with an unknown, encrypted payload waiting to execute.

This almost sounds like the remit of conventional malware, but there is more to it in Kaspersky’s view, starting with the fact that Gauss appears to have been built on the same development platform that resulted in the Flame cyberweapon that caused huge fuss when it was revealed (also by Kaspersky Lab) in May.

If correct, that would position Gauss as the junior partner in crime to Flame in the same way that Duqu was believed to be a smaller and more targeted development from the Stuxnet malware used to undermine Iran’s nuclear programme in 2010.

Indeed, it is possible that Gauss became operational as the successor to Duqu after the latter’s discovery, which would tie in with what Kaspersky believes is the former's activity period of August to September 2011.

According to Kaspersky Lab, around 2,500 Gauss infections had been detected mainly in Lebanon with victims in Israel and Palestine. Small numbers of infections had been found in US, UAE, Qatar, Jordan, Germany and Egypt.

The true extent of the malware’s activity won’t be known until the command and control servers have been analysed in more detail; Kaspersky said it had detected high workloads on these which hinted at a more substantial attack volume.

So why not attack Iran? This is not clear. All of the other weapons on the list above had a connection to that country.

And why use a banking Trojan? The credential stealing and account monitoring (rather than money-stealing) is the most likely motivation; Gauss will steal bank logins but it will also steal any logins, including social media, email, IM and browser passwords, spreading via USB sticks and stealing and monitoring the system and attached drives.

Beyond that, the malware was set loose with a Firefox plug-in to target a number of banks in the region, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, Citibank and PayPal, Kaspersky said.

The Lebanon connection could be a clue to Gauss's purpose. That country is often cited as a clearing point for business conducted by Iran, sometimes involving Shia anti-Isreal militants Hezbollah. Speculatively, cyberspies could be attempting to monitor Iran's money movements and business web, including individuals connected to it.

Kaspersky said it isn’t sure how Gauss spreads. It doesn’t have a worm component so the best guess is that it was designed as a slow-spreading piece of malware, possibly via USB sticks. Unlike Flame, the company has not found any zero-day exploits.

“There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same “factory” (or factories) that produced Stuxnet, Duqu and Flame,” said Kaspersky Lab in its analysis.

As with the enigmatic Duqu programme that experts struggled to interpret, Gauss is an odd one. Kaspersky Lab has clearly been studying it for some time as it was discovered during the same trawl at the International Telecommunications Union (ITU) that uncovered Flame.

Whatever Gauss turns out to be, Kaspersky Lab gives every indication of being a company enjoying itself. Having been the firm that discovered Duqu and Flame, it is now almost single-handedly outing cyber-malware programme after cyber-malware programme, which has raised questions in US circles about the motivation of the company.

Many if not all of these programmes are assumed to be the work of the US and Israel and to have an anti-Iran focus, which caused one journalist recently to get into a public spat with Kaspersky Lab founder and CEO Eugene Kaspersky Lab about his alleged connections to the Russian FSB and Kremlin.   

That seems far-fetched, perhaps (Kaspersky is Russian after all and worked for the KGB long ago) but in the unfolding world of cyber-malware almost everything seems far-fetched. With every new revelation, the world thinks it knows more whilst being able to assume less.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *