Gauss trojan targets Lebanese banks

A new sophisticated malware toolkit has been discovered that is stealing bank credentials, cookies and configurations of infected machines across the Middle East.

Gauss gun, Fallout

The malware, dubbed Gauss, has stolen data from several Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

It also targeted Citibank and PayPal up until last month when the Command and Control (C&C) servers went dormant.

More than 2500 infections were recorded since late May by Kaspersky Lab -- the outfit credited with the malware's discovery -- with tens of thousands estimated victims.

The number was lower than that of Stuxnet, but it is significantly higher than the amount of victims of the Flame and Duqu malware.

Researchers found 1660 unique victims in Lebanon, 483 in Israel and 261 in the Palestinian territory.

Kaspersky Lab said Gauss collected information including: user passwords; cookies; browser history; information about the computer's network connections, processes and folders, and local, network and removable drives.

It also said it was able to infect USB drives, use the removable media to store collected information in a hidden file and disinfect a drive under certain circumstances.

Gauss "bears a striking resemblance" to the Flame malware according to Alexander Gostev, chief security researcher at Kaspersky Lab.

“Similar to Flame and Duqu, Gauss is a complex cyber espionage toolkit, with its design emphasising stealth and secrecy," he said.

Gauss, like Flame, Stuxnet and Duqu had infected machines via USB, ran C&Cs on Linux, used fake SSL certificates, hid traffic with HTTPS,  and registered fake names and addresses that pointed to hotels and public places. 

The malware was found during investigations by Kaspersky into Flame at the request of the International Telecommunications Union (ITU).

It was identified through commonalities it shared with Flame which included architectural platforms, module structures, code bases and means of communication with command and C&C servers.

The first incidents with Gauss date back as early as September last year. The Gauss C&C servers had stopped functioning 10 months later.

Chief malware expert Vitaly Kamluk said Gauss was the first time a nation-sponsored attack stole the details of internet banking users.

He said it was the third discovery of a nation-state sponsored cyber attack within 12 months.

The infection vector was unknown, Kamluk said.

This article originally appeared at scmagazineuk.com