Gauss trojan targets Lebanese banks

Powered by SC Magazine
 

Joins ranks of Flame, Stuxnet and Duqu.

A new sophisticated malware toolkit has been discovered that is stealing bank credentials, cookies and configurations of infected machines across the Middle East.

The malware, dubbed Gauss, has stolen data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

It also targeted Citibank and PayPal up until last month when the Command and Control (C&C) servers went dormant.

More than 2500 infections were recorded since late May by Kaspersky Lab -- the outfit credited with the malware's discovery -- with tens of thousands estimated victims.

The number was lower than that of Stuxnet, but it is significantly higher than the amount of victims of the Flame and Duqu malware.

Researchers found 1660 unique victims in Lebanon, 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab said Gauss collected information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders, and local, network and removable drives.

It also said it was able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Gauss "bears a striking resemblance" to the Flame malware according to Alexander Gostev, chief security researcher at Kaspersky Lab.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy," he said.

Gauss, like Flame, Stuxnet and Duqu had infected machines via USB, ran C&Cs on Linux, used fake SSL certificates, hid traffic with HTTPS,  and registered fake names and addresses that pointed to hotels and public places. 

The malware was found during investigations by Kaspersky into Flame at the request of the International Telecommunications Union (ITU).

It was identified through commonalities it shared with Flame which included architectural platforms, module structures, code bases and means of communication with command and C&C servers.

The first incidents with Gauss date back as early as September last year. The Gauss C&C servers had stopped functioning 10 months later.

Chief malware expert Vitaly Kamluk said Gauss was the first time a nation-sponsored attack stole the details of internet banking users.

He said it was the third discovery of a nation-state sponsored cyber attack within 12 months.

The infection vector was unknown, Kamluk said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Gauss trojan targets Lebanese banks
Gauss gun, Fallout
 
 
 
Top Stories
Westpac interim CIO resigns
Group CIO yet to be appointed.
 
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  27%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 877

Vote