Researchers have come across another sophisticated piece of Middle Eastern-targeted espionage malware, which, at the very least, is capable of stealing bank login details, and, at the most extreme, is another Stuxnet.
Dubbed Gauss, the malware was discovered by analysts at Russia-based Kaspersky Lab, the same outfit that detected the Flame virus, which used world-class cryptographic functionality to spread and infect hundreds of machines in Iran to gather intelligence. And researchers found that Gauss, whose main module is named after the 19th century German mathematician Carl Friedrich Gauss, was built using the same platform as Flame.
Flame, as well as Stuxnet, are both believed to be collaborative creations of the United States and Israel.
Like Flame, Gauss contains several modules so that it can be customized to attack a victim in a certain way, Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, told SCMagazine.com on Thursday. So far, researchers have only gleaned insight about its password-stealing capabilities.
Experts who studied the trojan, which began spreading sometime late last summer, can confirm at least 2,500 computers, mostly in Lebanon, have been hit with the malware. It is capable of siphoning the usernames and passwords of a half-dozen banks in Lebanon, as well as Citibank and PayPal. The malware also can hijack data related to emails and social networking sites.
“We assume they somehow want to monitor bank accounts and money flow, but we don’t know for sure,” Schouwenberg said, adding that it does not appear as if any money has been stolen as a result of the operation.
But researchers are still unsure of the capability of Gauss’ encrypted payload, which Kaspersky so far has been unable to crack. Schouwenberg said the trojan contains a USB module, which indicates that it is targeting machines that are disconnected from the internet, thus unable to be remotely reached. This is typical of endpoints in “air-gapped” environments, he said.
What researchers do know is that the USB module searches for a specific system configuration — directories, programs and files — to ensure it is connecting to the system to which it wants to connect. Then, it runs MD5, a cryptographic hash function, 10,000 times to calculate the decryption key.
“Only then will the payload unlock itself,” Schouwenberg said, adding that, clearly, the malware’s authors want to prevent researchers like those at Kaspersky from reverse engineering Gauss.
“These guys know their crypto very well, and it shouldn’t be a surprise [considering] what they did with Flame,” he said.
But, what the payload contains or what precisely it is targeting remains a big mystery at this point.
“Critical infrastructure does indeed come to mind,” Schouwenberg said. “It’s very clear the attackers put in a lot of work to obscure this payload. We think this payload is a destructive one. Right now, we’re limited to our own imagination. It could be Stuxnet all over again.”
Schouwenberg said it seems the main operation is some sort of surveillance campaign, but this encrypted payload is the big unknown. Kaspersky Lab is inviting encryption enthusiasts to help it crack the code.
Researchers wouldn’t say why they believed Lebanese banks were a target. But a New York Times report on Thursday, quoting a Lebanon expert, said the United States has placed banks there under close watch ever since the Syrian uprising began. Lebanese financial institutions are being used to both fund the Syrian regime’s crackdown against opposition forces and also to launder money by militant group Hezbollah, of which Iran is a major sponsor, Bilal Saab, a Lebanon expert at the Monterey Institute for International Studies, told the paper.
Israel and Hezbollah also are fierce enemies, and Israel is believed to be behind assassination plots against Iranian scientists.