Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Flame 2.0: Gauss Malware Targets Banking Credentials

Stuxnet, Duqu, and Flame cousin has been used in targeted attacks, operating undetected for at least a year, primarily in Middle Eastern countries.

Malware watchers, meet Flame and Stuxnet's cousin, known as Gauss, which is espionage software apparently commissioned by a nation state and first used as early as August 2011.

Here's what's known about Gauss: The surveillance malware has been designed to collect banking details, is apparently used only in highly targeted attacks, and has infected an inordinate number of PCs in Lebanon. Still, its exact purpose--including the potential motive that a nation state would have in stealing people's banking credentials--so far remains a mystery.

"In 140 chars or less, Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation," according to an analysis of Gauss published by the global research and analysis team at Kaspersky Lab. "Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations."

[ Keep your identity safe. See 8 Ways To Avoid Getting Your Life Hacked. ]

There are clear links between the modules used by Gauss and Flame, which is related to Stuxnet, which in turn is related to Duqu. In other words, all four pieces of malware appear to have been commissioned--if not developed--by the same entity. "Just like Duqu was based on the 'Tilded' platform on which Stuxnet was developed, Gauss is based on the 'Flame' platform," according to Kaspersky Lab. "It shares some functionalities with Flame, such as the USB infection subroutines."

As with Flame, whoever controls Gauss can push various plug-ins to infected PCs. These plug-ins can do everything from relaying system configuration data and intercepted browser cookies and passwords to attackers, to stealing credentials used for Middle Eastern banks as well as social network login credentials. "The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss, and Joseph-Louis Lagrange," according to Kaspersky Lab. "The module named 'Gauss' is the most important in the malware as it implements the data stealing capabilities and we have therefore named the malware toolkit by this most important component."

Kaspersky Lab said it discovered Gauss while continuing to participate in an effort commissioned by the International Telecommunications Union (ITU), which Kaspersky said is behind a program "aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace."

Interestingly, an ITU request to Kaspersky, earlier this year, to evaluate unknown malware that was found to be deleting sensitive information led to the discovery of Flame. Since then, Kaspersky has been analyzing other malware to see if it resembled Flame, and found "glaring similarities" in Gauss.

One feature of Stuxnet, Flame, and Gauss is that they've tended to operate undetected for significant periods of time. Flame, for example, was used in highly targeted attacks since at least 2010, and perhaps as far back as 2007, before being discovered in June 2012. "Flame is a prime example of why governments and industry must work together to tackle cybersecurity at the global level," said ITU secretary-general Hamadoun Toure in a statement, issued after Flame was discovered. "Early warning of new threats is vital."

In the case of Gauss, the first known variant appeared in August 2011, which is interesting, since that's the month when Hungary's CrySyS Lab announced that it had discovered Duqu. Meanwhile, the most recent version of Gauss debuted in January 2012. Kaspersky said it's logged only 2,500 Gauss infections since May 2012, though it estimates that the total number of infections will number in the tens of thousands. Finally, it said that the five command-and-control servers giving Gauss-infected PCs instructions and retrieving targeted data went dark in July 2012, though they could be restarted at any time.

Thanks to the developers forgetting to remove debugging information, Kaspersky noted some file designations with the name "white," which it said appears to refer to Lebanon, the name of which comes from the Semitic root word that means "white." On a related note, it's seen the vast majority of Gauss infections in Lebanon, followed by Israel and Palestine. Meanwhile, a handful of infections have been traced to PCs in the United States, United Arab Emirates, Qatar, Jordan, Germany, and Egypt.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29512
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/tf/sparse/SparseTensor), then an attacker can trigger a heap buffer overflow. This will cause a read ...
CVE-2021-29554
PUBLISHED: 2021-05-14
TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in `tf.raw_ops.DenseCountSparseOutput`. This is because the implementation(https://github.com/tensorflow/tensorflow/blob/efff014f3b2d8ef6141da30c806faf141297eca1/t...
CVE-2021-32817
PUBLISHED: 2021-05-14
express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is...
CVE-2021-32818
PUBLISHED: 2021-05-14
haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application tha...
CVE-2021-32819
PUBLISHED: 2021-05-14
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream...