Gauss Espionage Malware Stealing Banking Data in Middle East

Researchers are tying the Gauss malware to Flame in what could be an example of a state-sponsored banking Trojan. Researchers say there is no doubt that Gauss came from the same software "factory" as Flame.

A cyber-espionage tool security pros say is linked to Flame has been spotted stealing banking information in a spate of attacks in the Middle East.

Researchers at Kaspersky Lab said the malware, known as Gauss, was launched back in August or September of 2011–roughly the same time as the Duqu malware was discovered. In the case of Gauss, researchers discovered it as part of ongoing effort by the International Telecommunication Union (ITU) following the discovery of the Flame malware earlier this year.

"Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program," said Alexander Gostev, chief security expert at Kaspersky. "Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different [from] Flame or Duqu. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information."

Just as Duqu was based on the "Tilded" platform Stuxnet was developed on, Gauss is based on the Flame platform, according to Kaspersky. Multiple modules of Gauss collect information from browsers, including the history of visited Websites and user passwords. The malware also steals data about the infected machine, such as BIOS information and information about network interfaces.

But it is its ability to steal financial information that has really raised eyebrows. The Gauss module specifically targets data from the clients of several Lebanese banks, including the Bank of Beirut and BlomBank as well as Citibank and PayPal. This feature, Kaspersky researchers said, gives it the distinction of being the first publicly known state-sponsored banking Trojan.

Though the initial infection vector is not known, Gauss has the ability to infect USB thumb drives with a data-stealing component using the same LNK vulnerability exploited by Stuxnet and Flame. However, the process of infecting USB sticks is more intelligent in Gauss, as it is capable of disinfecting the drive under certain circumstances and using the removable media to store collected information in a hidden file.

The USB data-stealing payload contains several encrypted sections that are decrypted with a key derived from certain system properties, the company explained.

"These sections are encrypted with an RC4 key derived from a MD5 hash performed 10,000 times on a combination of a "%PATH%" environment string and the name of the directory in %PROGRAMFILES%. The RC4 key and the contents of these sections are not yet known-so we do not know the purpose of this hidden payload," according to Kaspersky's whitepaper on the malware.

The majority of the infections have been found in Lebanon, Palestine and Israel. All totaled, Gauss is known to have infected roughly 2,500 machines, a figure significantly higher than the 700 believed to have been infected by Flame.

Nevertheless, code references, encryption subroutines and the command and control infrastructure for Gauss indicate the malware was manufactured by the authors of Flame, according to Kaspersky–which if true, could point the finger at the United States, which has been accused of creating Flame as part of a cyber-operation against Iran.

"Gauss was built on the same platform that Flame was built on," said Roel Schoewenberg, senior antivirus researcher for Kaspersky. "There's absolutely no doubt they come from the same factory. A lot of the same source code was used. Unless someone managed to steal the Flame source code, this is done by the same attackers."