Cybersleuths at Kaspersky Lab have announced the unmasking of yet another apparently state-sponsored cyber-weapon dubbed ‘Gauss’ which appears to be attacking banks and individuals in a number of Middle-Eastern countries but not, for once, the usual target, Iran.
Kaspersky describes the malware as “a nation state sponsored banking Trojan which carries a warhead of unknown designation,” capable of stealing data from Windows systems and coming with an unknown, encrypted payload waiting to execute.
This almost sounds like the remit of conventional malware, but there is more to it in Kaspersky’s view, starting with the fact that Gauss appears to have been built on the same development platform that resulted in the Flame cyberweapon that caused huge fuss when it was revealed (also by Kaspersky Lab) in May.
If correct, that would position Gauss as the junior partner in crime to Flame in the same way that Duqu was believed to be a smaller and more targeted development from the Stuxnet malware used to undermine Iran’s nuclear programme in 2010.
Indeed, it is possible that Gauss became operational as the successor to Duqu after the latter’s discovery, which would tie in with what Kaspersky believes is the former's activity period of August to September 2011.
According to Kaspersky Lab, around 2,500 Gauss infections had been detected mainly in Lebanon with victims in Israel and Palestine. Small numbers of infections had been found in US, UAE, Qatar, Jordan, Germany and Egypt.
The true extent of the malware’s activity won’t be known until the command and control servers have been analysed in more detail; Kaspersky said it had detected high workloads on these which hinted at a more substantial attack volume.
So why not attack Iran? This is not clear. All of the other weapons on the list above had a connection to that country.
And why use a banking Trojan? The credential stealing and account monitoring (rather than money-stealing) is the most likely motivation; Gauss will steal bank logins but it will also steal any logins, including social media, email, IM and browser passwords, spreading via USB sticks and stealing and monitoring the system and attached drives.
Beyond that, the malware was set loose with a Firefox plug-in to target a number of banks in the region, including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, Citibank and PayPal, Kaspersky said.
The Lebanon connection could be a clue to Gauss's purpose. That country is often cited as a clearing point for business conducted by Iran, sometimes involving Shia anti-Isreal militants Hezbollah. Speculatively, cyberspies could be attempting to monitor Iran's money movements and business web, including individuals connected to it.
Kaspersky said it isn’t sure how Gauss spreads. It doesn’t have a worm component so the best guess is that it was designed as a slow-spreading piece of malware, possibly via USB sticks. Unlike Flame, the company has not found any zero-day exploits.
“There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state sponsored attacks. We have evidence that Gauss was created by the same “factory” (or factories) that produced Stuxnet, Duqu and Flame,” said Kaspersky Lab in its analysis.
As with the enigmatic Duqu programme that experts struggled to interpret, Gauss is an odd one. Kaspersky Lab has clearly been studying it for some time as it was discovered during the same trawl at the International Telecommunications Union (ITU) that uncovered Flame.
Whatever Gauss turns out to be, Kaspersky Lab gives every indication of being a company enjoying itself. Having been the firm that discovered Duqu and Flame, it is now almost single-handedly outing cyber-malware programme after cyber-malware programme, which has raised questions in US circles about the motivation of the company.
Many if not all of these programmes are assumed to be the work of the US and Israel and to have an anti-Iran focus, which caused one journalist recently to get into a public spat with Kaspersky Lab founder and CEO Eugene Kaspersky Lab about his alleged connections to the Russian FSB and Kremlin.
That seems far-fetched, perhaps (Kaspersky is Russian after all and worked for the KGB long ago) but in the unfolding world of cyber-malware almost everything seems far-fetched. With every new revelation, the world thinks it knows more whilst being able to assume less.