Gauss trojan targets Lebanese banks

Powered by SC Magazine
 

Joins ranks of Flame, Stuxnet and Duqu.

A new sophisticated malware toolkit has been discovered that is stealing bank credentials, cookies and configurations of infected machines across the Middle East.

The malware, dubbed Gauss, has stolen data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

It also targeted Citibank and PayPal up until last month when the Command and Control (C&C) servers went dormant.

More than 2500 infections were recorded since late May by Kaspersky Lab -- the outfit credited with the malware's discovery -- with tens of thousands estimated victims.

The number was lower than that of Stuxnet, but it is significantly higher than the amount of victims of the Flame and Duqu malware.

Researchers found 1660 unique victims in Lebanon, 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab said Gauss collected information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders, and local, network and removable drives.

It also said it was able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Gauss "bears a striking resemblance" to the Flame malware according to Alexander Gostev, chief security researcher at Kaspersky Lab.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy," he said.

Gauss, like Flame, Stuxnet and Duqu had infected machines via USB, ran C&Cs on Linux, used fake SSL certificates, hid traffic with HTTPS,  and registered fake names and addresses that pointed to hotels and public places. 

The malware was found during investigations by Kaspersky into Flame at the request of the International Telecommunications Union (ITU).

It was identified through commonalities it shared with Flame which included architectural platforms, module structures, code bases and means of communication with command and C&C servers.

The first incidents with Gauss date back as early as September last year. The Gauss C&C servers had stopped functioning 10 months later.

Chief malware expert Vitaly Kamluk said Gauss was the first time a nation-sponsored attack stole the details of internet banking users.

He said it was the third discovery of a nation-state sponsored cyber attack within 12 months.

The infection vector was unknown, Kamluk said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Gauss trojan targets Lebanese banks
Gauss gun, Fallout
 
 
 
Top Stories
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
Will Nutanix be outflanked before reaching IPO?
VMware muscles in on storage startup in hyper-converged infrastructure.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  69%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  11%
TOTAL VOTES: 621

Vote