Gauss trojan targets Lebanese banks

By on
Gauss trojan targets Lebanese banks
Gauss gun, Fallout

Joins ranks of Flame, Stuxnet and Duqu.

A new sophisticated malware toolkit has been discovered that is stealing bank credentials, cookies and configurations of infected machines across the Middle East.

The malware, dubbed Gauss, has stolen data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

It also targeted Citibank and PayPal up until last month when the Command and Control (C&C) servers went dormant.

More than 2500 infections were recorded since late May by Kaspersky Lab -- the outfit credited with the malware's discovery -- with tens of thousands estimated victims.

The number was lower than that of Stuxnet, but it is significantly higher than the amount of victims of the Flame and Duqu malware.

Researchers found 1660 unique victims in Lebanon, 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab said Gauss collected information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders, and local, network and removable drives.

It also said it was able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Gauss "bears a striking resemblance" to the Flame malware according to Alexander Gostev, chief security researcher at Kaspersky Lab.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy," he said.

Gauss, like Flame, Stuxnet and Duqu had infected machines via USB, ran C&Cs on Linux, used fake SSL certificates, hid traffic with HTTPS,  and registered fake names and addresses that pointed to hotels and public places. 

The malware was found during investigations by Kaspersky into Flame at the request of the International Telecommunications Union (ITU).

It was identified through commonalities it shared with Flame which included architectural platforms, module structures, code bases and means of communication with command and C&C servers.

The first incidents with Gauss date back as early as September last year. The Gauss C&C servers had stopped functioning 10 months later.

Chief malware expert Vitaly Kamluk said Gauss was the first time a nation-sponsored attack stole the details of internet banking users.

He said it was the third discovery of a nation-state sponsored cyber attack within 12 months.

The infection vector was unknown, Kamluk said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?