ITU project uncovers banker trojan that adds Flame to Stuxnet

Stuxnet, Duqu, Flame, and now Gauss... They’re all connected, says Kaspersky Lab .

Security researchers have uncovered new malware, likely related to Stuxnet, and aimed at clients of several Lebanese banks, as well as Citibank and PayPal.

Researchers at Russian security vendor Kaspersky Lab claim that Gauss, a banking trojan, is “closely related to Flame and Stuxnet”, the latter of which is pegged for disrupting an Iranian nuclear facility’s uranium enrichment equipment.

“We have evidence that Gauss was created by the same “factory” (or factories) that produced Stuxnet, Duqu and Flame,” said Kaspersky Lab.

The connections Kaspersky draws to the previously discovered malware was Gauss’ exploitation of a .LNK file vulnerability and that it made use of an USB removable drive to store data.

While the majority of infections were found in Lebanon, there were also some in Palestine and Israel, according to its analysis.

The trojan can steal banking credential information and is aimed at a select few Lebanese institutions but it’s ultimate intent is unknown.

Kaspersky’s theory is that Gauss is designed primarily to silently spy on banking transactions as opposed using that information to steal funds.

“The presumption is that the attackers are interested in profiling the victims and their computers. Banking credentials, for instance, can be used to monitor the balance on the victim’s accounts - or, they can be used to directly steal money,” said Kaspery Lab.

“We believe the theory that Gauss is used to steal money, which is used to finance other projects such as Flame and Stuxnet, is not compatible with the idea of nation-state sponsored attacks.”

The discovery was made as part of the Russian company’s work with the United Nation’s telecoms arm, the International Telecommunications Union (ITU).

The ITU requested the company investigate a rash of infections within organisations from its member nations that led to the discovery of Flame in May— spyware that appeared aimed solely at countries in the middle east.

Flame was discovered after Stuxnet, which reportedly was the product of a US campaign aimed at capping Iran’s nuclear capabilities.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts