Threat Intelligence, Incident Response, Malware, TDR

Russian espionage malware adapted for ransomware scams


Espionage malware, believed to be authored by Russians, has been repurposed to carry out money-making cyber schemes, researchers revealed.

According to Sentinel Labs, the malware, called “Gyges,” targets Windows 7 and 8 users running 32 and 64-bit versions of the platforms. Researchers discovered the new Gyges variant in mid-April due to its sophisticated evasion techniques, which allow it to bypass anti-virus and sandboxing solutions.

In a threat intelligence report released this month (PDF), the company said that the “government-grade malware” leverages a hooking bypass technique to exploit a logic issue affecting Windows systems.

“The malicious code used for all of these evasion techniques is significantly more sophisticated than the core executable,” Udi Shamir, the author of the report and head of research at Sentinel Labs, wrote. “That led us to believe that it was previously used as a ‘bus' or ‘carrier' for much more sophisticated attacks such as government data exfiltration.”

After some digging, the research team discovered evidence in the ‘carrier' code, connecting it to earlier espionage attacks, Shamir added.

Gyges has been repurposed most often for ransomware attacks, to extort money from victims whose data has been held hostage via encryption, and in some cases to carry out online banking fraud, the Sentinel report said.

In a Thursday interview with, Sentinel CEO Tomer Weingarten, said that researchers saw the malware being spread via drive-by download and phishing schemes. The firm has yet to link the malware to a specific espionage campaign leveraging parts of the malicious code, he added.

Due to its original capabilities – like key logging, screen capturing, IP theft and network activity surveillance – along with its advanced evasion techniques, Sentinel deduced that the malware was used for cyber spying purposes.

“This is a trend we are seeing – sophisticated malware being repurposed,” he said. “And with the growing activity of these evasion techniques, it's very easy to infect a machine today. I think we'll see more of this activity occurring.”  

Sentinel's report echoed these sentiments, saying that Gyges demonstrates “how the lines are blurring between government-grade and mainstream attack code.”

“The fact that ‘carrier' code can be ‘bolted on' to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats,” the report said.

[An earlier version of this story incorrectly stated that Gyges targeted Windows users running 86-bit versions of the platform].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.