Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload | ... - 0 views
-
Gauss marks the first time that apparently nation-state-created malware has been found stealing banking credentials, something that is commonly seen in malware distributed by criminal hacking groups.
-
Gauss appears to have been created sometime in mid-2011 and was first deployed in September or October of last year, around the same time that DuQu was uncovered by researchers in Hungary. DuQu was an espionage tool discovered on machines in Iran, Sudan, and other countries around August 2011 and was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques. Flame and Stuxnet also shared a component, and now Flame and Gauss have been found to be using similar code as well.
-
Extrapolating from the number of infected Kaspersky customers, they speculate that there may be as many as tens of thousands of other victims infected with Gauss. By comparison, Stuxnet infected more than 100,000 machines, primarily in Iran. DuQu infected an estimated 50 machines, but was not geographically focused. Flame is estimated to have infected about 1,000 machines in Iran and elsewhere in the Middle East.
- ...4 more annotations...
-
Kaspersky suggests that “white” in the file name may refer to Lebanon, a name said to be derived from the Semitic root letters “lbn,” which are also the root letters for “white.” Although in Arabic — a Semitic language — white is “abayd,” in Hebrew — also a Semitic language — the word for white is “lavan,” which comes from the root letters “lbn.”
-
Like Flame, Gauss is modular, so that new functionality can be swapped in and out, depending on the needs of the attackers. To date, only a few modules have been uncovered — these are designed to steal browser cookies and passwords, harvest system configuration data including information about the BIOS and CMOS RAM, infect USB sticks, enumerate the content of drives and folders, and to steal banking credentials as well as account information for social networking accounts, e-mail and instant messaging.
-
Gauss also installs a custom font called Palida Narrow, the purpose of which is not known. The use of a custom font designed by the malware authors is reminiscent of DuQu, which used a font called Dexter fabricated by its creators to exploit victim machines. Kaspersky has found no malicious code in the Palida Narrow font files and has no idea why it’s in the code, though the font contains Western, Baltic and Turkish symbols.
-
the USB module appears to be aimed at bridging an airgap and getting the payload onto systems that are not connected to the internet, as it had been used previously to get Stuxnet onto industrial control systems in Iran that were not connected to the internet. As noted, the payload is only unleashed on systems that have a specific configuration. That specific configuration is currently unknown, but Schoewenberg says it has to do with paths and files that are on the system. This suggests that the attackers have extensive knowledge about what is on the target system they are seeking.