Gauss trojan targets Lebanese banks

Powered by SC Magazine
 

Joins ranks of Flame, Stuxnet and Duqu.

A new sophisticated malware toolkit has been discovered that is stealing bank credentials, cookies and configurations of infected machines across the Middle East.

The malware, dubbed Gauss, has stolen data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

It also targeted Citibank and PayPal up until last month when the Command and Control (C&C) servers went dormant.

More than 2500 infections were recorded since late May by Kaspersky Lab -- the outfit credited with the malware's discovery -- with tens of thousands estimated victims.

The number was lower than that of Stuxnet, but it is significantly higher than the amount of victims of the Flame and Duqu malware.

Researchers found 1660 unique victims in Lebanon, 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab said Gauss collected information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders, and local, network and removable drives.

It also said it was able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Gauss "bears a striking resemblance" to the Flame malware according to Alexander Gostev, chief security researcher at Kaspersky Lab.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy," he said.

Gauss, like Flame, Stuxnet and Duqu had infected machines via USB, ran C&Cs on Linux, used fake SSL certificates, hid traffic with HTTPS,  and registered fake names and addresses that pointed to hotels and public places. 

The malware was found during investigations by Kaspersky into Flame at the request of the International Telecommunications Union (ITU).

It was identified through commonalities it shared with Flame which included architectural platforms, module structures, code bases and means of communication with command and C&C servers.

The first incidents with Gauss date back as early as September last year. The Gauss C&C servers had stopped functioning 10 months later.

Chief malware expert Vitaly Kamluk said Gauss was the first time a nation-sponsored attack stole the details of internet banking users.

He said it was the third discovery of a nation-state sponsored cyber attack within 12 months.

The infection vector was unknown, Kamluk said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Gauss trojan targets Lebanese banks
Gauss gun, Fallout
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 417

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  55%
 
No
  45%
TOTAL VOTES: 196

Vote