'Gauss' cyberweapon targeting Middle-Eastern banks, says Kaspersky Lab

Offshoot 'Flame' software monitors Lebanese transactions

Cybersleuths at Kaspersky Lab have announced the unmasking of yet another apparently state-sponsored cyber-weapon dubbed 'Gauss' which appears to be attacking banks and individuals in a number of Middle-Eastern countries but not, for once, the usual target, Iran.

Kaspersky describes the malware as "a nation state sponsored banking Trojan which carries a warhead of unknown designation," capable of stealing data from Windows systems and coming with an unknown, encrypted payload waiting to execute.

This almost sounds like the remit of conventional malware, but there is more to it in Kaspersky's view, starting with the fact that Gauss appears to have been built on the same development platform that resulted in the Flame cyberweapon that caused huge fuss when it was revealed (also by Kaspersky Lab) in May.

If correct, that would position Gauss as the junior partner in crime to Flame in the same way that Duqu was believed to be a smaller and more targeted development from the Stuxnet malware used to undermine Iran's nuclear programme in 2010.

Indeed, it is possible that Gauss became operational as the successor to Duqu after the latter's discovery, which would tie in with what Kaspersky believes is the former's activity period of August to September 2011.

According to Kaspersky Lab, around 2,500 Gauss infections had been detected mainly in Lebanon with victims in Israel and Palestine. Small numbers of infections had been found in US, UAE, Qatar, Jordan, Germany and Egypt.

The true extent of the malware's activity won't be known until the command and control servers have been analysed in more detail; Kaspersky said it had detected high workloads on these which hinted at a more substantial attack volume.

So why not attack Iran? This is not clear. All of the other weapons on the list above had a connection to that country.

And why use a banking Trojan? The credential stealing and account monitoring (rather than money-stealing) is the most likely motivation; Gauss will steal bank logins but it will also steal any logins, including social media, email, IM and browser passwords, spreading via USB sticks and stealing and monitoring the system and attached drives.

Beyond that, the malware was set loose with a Firefox plug-in to target a number of banks in the region, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, Citibank and PayPal, Kaspersky said.

The Lebanon connection could be a clue to Gauss's purpose. That country is often cited as a clearing point for business conducted by Iran, sometimes involving Shia anti-Isreal militants Hezbollah. Speculatively, cyberspies could be attempting to monitor Iran's money movements and business web, including individuals connected to it.

Kaspersky said it isn't sure how Gauss spreads. It doesn't have a worm component so the best guess is that it was designed as a slow-spreading piece of malware, possibly via USB sticks. Unlike Flame, the company has not found any zero-day exploits.

"There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same "factory" (or factories) that produced Stuxnet, Duqu and Flame," said Kaspersky Lab in its analysis.

As with the enigmatic Duqu programme that experts struggled to interpret, Gauss is an odd one. Kaspersky Lab has clearly been studying it for some time as it was discovered during the same trawl at the International Telecommunications Union (ITU) that uncovered Flame.

Whatever Gauss turns out to be, Kaspersky Lab gives every indication of being a company enjoying itself. Having been the firm that discovered Duqu and Flame, it is now almost single-handedly outing cyber-malware programme after cyber-malware programme, which has raised questions in US circles about the motivation of the company.

Many if not all of these programmes are assumed to be the work of the US and Israel and to have an anti-Iran focus, which caused one journalist recently to get into a public spat with Kaspersky Lab founder and CEO Eugene Kaspersky Lab about his alleged connections to the Russian FSB and Kremlin.

That seems far-fetched, perhaps (Kaspersky is Russian after all and worked for the KGB long ago) but in the unfolding world of cyber-malware almost everything seems far-fetched. With every new revelation, the world thinks it knows more whilst being able to assume less.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts