Kaspersky Lab researchers have uncovered what they believe is another nation-state-sponsored attack toolkit designed to steal sensitive data from individuals in the Middle East.
Similar to the two previous cyber-espionage weapons, Gauss' spreading mechanisms are conducted in a controlled fashion, which emphasize stealth and secrecy for the operation.
The Gauss attack toolkit steals passwords, banking credentials, browser cookies and configuration data of infected machines. More than 2,500 infections were detected by Kaspersky in May, with the number of total infections estimated in the tens of thousands.
Gauss' payload is encrypted and so far researchers have not been able to determine what vulnerabilities it exploits and how it spreads. Victims are running Windows 7 systems. Kaspersky Lab said the attack toolkit was uncovered following the discovery of the Flame attack toolkit in June.
Kaspersky Lab is working with the International Telecommunication Union (ITU) to detect and reduce the risks posed by cyberweapons. The ITU, a UN agency established to discuss international communications issues, has been trying to gain authority over issues governing the Internet from private organizations. The Russia-based antivirus giant has detected a number of nation-state-sponsored cyberattacks, including Stuxnet, Duqu and the Flame attack toolkit. No nation-state has claimed responsibility for the use of malware in cyberespionage activities. But a New York Times report, citing anonymous government sources, said the United States and Israel were behind the Stuxnet attack that disrupted operations at an Iranian Nuclear refinery facility. Some characteristics of Flame and Duqu have been linked to the Stuxnet worm.
Kaspersky Lab provided its analysis of the Gauss toolkit in a blog post Thursday. The company said Gauss also shares characteristics with Flame, which targeted hundreds of individuals in Iran and the Middle East. "These include similar architectural platforms, module structures, code bases and means of communication with command-and-control [C&C] servers," the security firm said in a statement.
The researchers believe the attack toolkit was used beginning in September 2011. It was discovered in June 2012, following analysis of the Flame malware. Kaspersky said the C&C infrastructure was shut down in July, leaving the malware in a dormant state.
"Analysis of Gauss shows it was designed to steal data from several Lebanese banks, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais," Kaspersky said. "In addition, it targets users of Citibank and PayPal."
Gauss' main module was named by the unknown creators after the German mathematician Johann Carl Friedrich Gauss. Other components bear the names of famous mathematicians as well, including Joseph-Louis Lagrange and Kurt Gödel.
Like many malware families, Gauss can collect information from browsers, including the history of visited websites and passwords. Detailed data on the infected machine is also sent to the attackers, including specifics of network interfaces, the computer's drives and BIOS information.
Gauss can also infect USB thumb drives, using the same LNK vulnerability that was previously used in Stuxnet and Flame. "Gauss is capable of 'disinfecting' the drive under certain circumstances, and uses the removable media to store collected information in a hidden file," Kaspersky said.
While Gauss is similar to Flame in design, the geography of infections is noticeably different. The highest number of computers hit by Flame was recorded in Iran, while the majority of Gauss victims were located in Lebanon. The number of infections is also different. Based on telemetry reported from the Kaspersky Security Network (KSN), Gauss infected approximately 2,500 machines.
"Similar to the two previous cyberespionage weapons, Gauss' spreading mechanisms are conducted in a controlled fashion, which emphasize stealth and secrecy for the operation," Kaspersky said.