TechWorld - Cybersleuths at Kaspersky Lab have announced the unmasking of yet another apparently state-sponsored cyber-weapon dubbed 'Gauss' which appears to be attacking banks and individuals in a number of Middle-Eastern countries but not, for once, the usual target, Iran.
Kaspersky describes the malware as "a nation state sponsored banking Trojan which carries a warhead of unknown designation," capable of stealing data from Windows systems and coming with an unknown, encrypted payload waiting to execute.
This almost sounds like the remit of conventional malware, but there is more to it in Kaspersky's view, starting with the fact that Gauss appears to have been built on the same development platform that resulted in the Flame cyberweapon that caused huge fuss when it was revealed (also by Kaspersky Lab) in May.
If correct, that would position Gauss as the junior partner in crime to Flame in the same way that Duqu was believed to be a smaller and more targeted development from the Stuxnet malware used to undermine Iran's nuclear programme in 2010.
Indeed, it is possible that Gauss became operational as the successor to Duqu after the latter's discovery, which would tie in with what Kaspersky believes is the former's activity period of August to September 2011.
According to Kaspersky Lab, around 2,500 Gauss infections had been detected mainly in Lebanon with victims in Israel and Palestine. Small numbers of infections had been found in US, UAE, Qatar, Jordan, Germany and Egypt.
The true extent of the malware's activity won't be known until the command and control servers have been analysed in more detail; Kaspersky said it had detected high workloads on these which hinted at a more substantial attack volume.
So why not attack Iran? This is not clear. All of the other weapons on the list above had a connection to that country.
And why use a banking Trojan? The credential stealing and account monitoring (rather than money-stealing) is the most likely motivation; Gauss will steal bank logins but it will also steal any logins, including social media, email, IM and browser passwords, spreading via USB sticks and stealing and monitoring the system and attached drives.
Beyond that, the malware was set loose with a Firefox plug-in to target a number of banks in the region, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, Citibank and PayPal, Kaspersky said.
The Lebanon connection could be a clue to Gauss's purpose. That country is often cited as a clearing point for business conducted by Iran, sometimes involving Shia anti-Isreal militants Hezbollah. Speculatively, cyberspies could be attempting to monitor Iran's money movements and business web, including individuals connected to it.
Kaspersky said it isn't sure how Gauss spreads. It doesn't have a worm component so the best guess is that it was designed as a slow-spreading piece of malware, possibly via USB sticks. Unlike Flame, the company has not found any zero-day exploits.
Rss Feed
The Connected Enterprise
You are previewing premium content. 
