Gauss malware: Nation-state cyber-espionage banking Trojan related to Flame, Stuxnet

By Darlene Storm

Kaspersky Lab researchers have discovered a “complex cyber-espionage toolkit” called Gauss which is a nation-state sponsored malware attack “closely related to Flame and Stuxnet,” but blends nation-state cyber-surveillance with an online banking Trojan. It can steal “access credentials for various online banking systems and payment methods” and “various kinds of data from infected Windows machines” such as “specifics of network interfaces, computer’s drives and even information about BIOS.” It can steal browser history, social network and instant messaging info and passwords, and searches for and intercepts cookies from PayPal, Citibank, MasterCard, American Express, Visa, eBay, Gmail, Hotmail, Yahoo, Facebook, Amazon and some other Middle Eastern banks. Additionally Gauss “includes an unknown, encrypted payload which is activated on certain specific system configurations.”

“Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation,” Kaspersky wrote. “The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed. One can only speculate on the purpose of this mysterious payload.” The malware copies itself onto any clean USB inserted into an infected PC, then collects data if inserted into another machine, before uploading the stolen data when reinserted into a Gauss-infected machine.

The main Gauss module is only about 200k which is one-third the size of the main Flame module, but it “has the ability to load other plugins which altogether count for about 2MB of code.” Like Flame and Duqu, Gauss is programmed with a built in time-to-live (TTL). “When Gauss infects an USB memory stick, it sets a certain flag to ‘30’. This TTL flag is decremented every time the payload is executed from the stick. Once it reaches 0, the data stealing payload cleans itself from the USB stick.” Kaspersky Lab senior malware researcher Roel Schouwenberg said, "It may have been built with an air-gapped network in mind."

There were seven domains being used to gather data, but the five Command & Control (C&C) servers went offline before Kaspersky could investigate them.International Business Times has already laid the blame for creating Gauss at the feet of the U.S. and Israeli governments. Kaspersky said, “We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.” Kaspersky also reported, it’s “hard to believe that a nation state would rely on such techniques to finance a cyber-war/cyber-espionage operation.”

So far Gauss has infected more than 2,500 systems in 25 countries with the majority, 1,660 infected machines, being located in Lebanon. The researchers believe Gauss started operating around August-September 2011. “After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware’.” You can read more about the “abnormal distribution” on theKaspersky blog and or the full technical paper [PDF].

Meanwhile FinFisher lawful intercept malware used by government organizations for intelligence and surveillance activities was discovered in the wild and analyzed by Rapid7. Gamma International claimed it didn’t sell its FinFisher spyware to Bahrain even though Bahrain activists were targeted. Instead the company suggested it might be a “demonstration copy of the product stolen from Gamma and used without permission.” Bloomberg then reported the FinFisher spyware can secretly monitor computers, intercept Skype calls, turn on Web cameras and record every keystroke has now spread to five continents.

After an in-depth analysis of the “governmental malware,” Rapid7’s Claudio Guarnieri concluded, "The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use. That said, once any malware is used in the wild, it's typically only a matter of time before it gets used for nefarious purposes.”

According to CitizenLab's research and WikiLeaks cables, following should be the supported features:

• Bypassing of 40 regularly tested Antivirus Systems
• Covert Communication with Headquarters
• Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
• Recording of common communication like Email, Chats and Voice-over-IP
• Live Surveillance through Webcam and Microphone
• Country Tracing of Target
• Silent extracting of Files from Hard-Disk
• Process-based Key-logger for faster analysis
• Live Remote Forensics on Target System
• Advanced Filters to record only important information
• Supports most common Operating Systems (Windows, Mac OSX and Linux)

This is also an increase in other multi-platform malware infections such as the ethically questionable backdoor monitoring tools, virtual force for remote searches, sold to law enforcement and intelligence agencies. Russian anti-virus firm Dr. Web discovered a Trojan that could control Mac and Window machines and dubbed it ‘Crisis’. F-Secure found it lurking in a Colombian Transport website. It would "check if the user's machine was running in Windows, Mac or Linux and then download the appropriate files for the platform." It has been called DaVinci/Morcut/Crisis/Flosax, but it's definitely a commercial espionage Trojan sold by The Italian Hacking Team which just happens to be a Gamma/FinFisher competitor. The Hacking Team also brags of being able to get around encryption and specializes in selling services that allow intelligence agencies to monitor 100,000 targets at a time.