Kaspersky Lab warns of new malicious banking malware ‘Gauss’

Kaspersky Lab yesterday warned of a new, malicious banking and social network Trojan called Gauss that may have affected thousands of systems until now. According to a post on securelist.com, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. 

The Russia-based security firm states that Gauss was probably created in mid-2011 and is the latest cyber surveillance operation to be detected after Stuxnet, Duqu and Flame. Gauss seems to have affected systems mainly in the Middle East, most of which appear to have been running Windows 7. Gauss was first detected during investigations into Flame in June, this year.

“Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins,” the post reads. Kaspersky states that the currently known plugins can intercept browser cookies and passwords; harvest and send system configuration data to attackers; infect USB sticks with a data stealing module; list the content of the system drives and folders; steal credentials for various banking systems in the Middle East and hijack account information for social network, email and IM accounts.

According to the post, Gauss is heavily based on Flame, and is related with Duqu and Stuxnet. It shares some functionalities with Flame, such as the USB infection subroutines.  However, its main focus seems to be on stealing banking and financial information in specific countries. It also comes with a USB data stealing payload that contains several encrypted sections dcrypted with a key derived from certain system properties.

Kaspersky warns of new banking threat Gauss

It is not known at present how Gauss replicates itself of spreads across systems. “Just like in the case of Flame, we still do not know how victims get infected with Gauss. It is possible the mechanism is the same as Flame and we haven’t found it yet; or it may be using a different method. We have not seen any self-spreading (worm) capabilities in Gauss, but the higher number of victims than Flame might indicate a slow spreading feature. This might be implemented by a plugin we have not yet seen,” the post reads.

Kaspersky states that Gauss represents the “high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’.”

Kaspersky states that its cloud-based Kaspersky Security Network has recorded more than 2,500 infected machines until now and estimates that the total number of infections may run into tens of thousands. “The vast majority Gauss victims are located in Lebanon. There are also victims in Israel and Palestine. In addition to these, there are a few victims in the U.S., UAE, Qatar, Jordan, Germany and Egypt.”