A new Flame and Stuxnet-related cyber-threat, dubbed Gauss, is targeting users in the Middle East, security researchers have revealed.
Gauss is a complex, state-sponsored cyber-espionage toolkit with online banking Trojan functionality not found in previous cyber weapons, according to researchers at Kaspersky Lab.
They say it is designed to steal sensitive data, with a specific focus on browser histories, passwords, cookies, system configurations and online banking account credentials.
Analysis of Gauss shows it was targeted at several Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal.
Researchers at Kaspersky Lab discovered Gauss by identifying commonalities with Flame, which include similar architectural platforms, module structures, code bases and means of communication with command & control (C&C) servers.
Another key feature of Gauss is the ability to infect USB memory sticks, using the same LNK vulnerability that was previously used in Stuxnet and Flame.
But researchers found that the process of infecting USB sticks is more intelligent, with Gauss capable of “disinfecting” the memory stick under certain circumstances. It can also use the memory stick to store collected information in a hidden file.
While Gauss is similar to Flame in design, the geography of infections is different. The highest number of computers hit by Flame was recorded in Iran, while the majority of Gauss victims were located in Lebanon.
The number of infections is also different. Based on telemetry reported from the Kaspersky Security Network (KSN), Gauss infected approximately 2,500 machines. In comparison, Flame was significantly lower, infecting closer to 700 machines.
Although the exact method used to infect the computers is not yet known, it is also clear that Gauss propagates in a different manner to Flame or Duqu, researchers said.
Gauss’ spreading mechanisms are conducted in a controlled fashion, which researchers said emphasises the importance placed on stealth and secrecy.
Gauss, which is believed to have started operations in September 2011, was discovered in June 2012. But its C&C infrastructure was shut down shortly after its discovery.
"At the moment, the malware is in a dormant state, waiting for its C&C servers to become active again," researchers said.
One of the firm's top researchers, Roel Schouwenberg said Gauss also contains a module known as "Godel" that may include a Stuxnet-like weapon for attacking industrial control systems, according to the Guardian.
Stuxnet, discovered in 2010, was used to attack computers that controlled the centrifuges at a uranium enrichment facility in Natanz, Iran, and Schouwenberg said the Godel code may include a similar "warhead."
While Kaspersky has yet to fully crack Godel's code, Schouwenberg said he suspects it is a cyber weapon designed to cause physical damage and that its developers went to a lot of trouble to hide its purpose, using an encryption scheme that could take months or even years to unravel.
The discovery of Gauss and its links to Flame, Stuxnet and Duqu indicates that the state-sponsored cyber threat might be more dynamic, fast-moving and incestuous than previously thought, said James Todd, technical lead for Europe at security firm FireEye.
"Many consider credential stealing malware a social problem and pretty harmless compared to targeted attacks. Gauss destroys that myth," he said.
According to Todd, the seriousness of this discovery and its potential to morph into a virus capable of attacking control systems and other critical infrastructure, cannot be underestimated.
“In the face of these advanced malware discoveries, organisations must accept the growing security hole in their perimeter and take the threat seriously by reducing their reliance on outdated perimeter security tools," he said.
With political discussions in the US and EU surrounding the prevention of cyber threats and how heavy-handed to be with global enemy states, Todd said it is clear that this is becoming a credible government-level issue.
Read more on Flame:
Read more on Stuxnet: