Skip to main content

More malware tears through Middle East as 'Gauss' steals banking information

Another day, another online threat. Kaspersky Lab has provided details on 'Gauss', a cyber-threat targeting users in the Middle East that is intended to steal personal details, like banking information.

According to Kaspersky, Gauss includes characteristics not found in any previously discovered cyber weapons.

Gauss was discovered as part of a campaign to mitigate the risks of cyber weapons, spearheaded by the International Telecommunication Union (ITU) and backed by Kaspersky. The effort kicked off after the emergence of Flame, another threat that targeted those in the Middle East.

"Kaspersky Lab's experts discovered Gauss by identifying commonalities the malicious program share with Flame," the security firm said. "These include similar architectural platforms, module structures, code bases and means of communication with command & control (C&C) servers."

Gauss steals detailed information like browser history, cookies, passwords, and system configurations, Kaspersky said, but it can also steal things like credentials for various online banking systems and payment methods.

Specifically, it appears that Gauss was designed to steal data from Lebanese banks like Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, as well as Citibank and PayPal.

Gauss can also infect USB thumb drives using the same vulnerability seen in the Stuxnet and Flame viruses. "At the same time, the process of infecting USB sticks is more intelligent," Kaspersky said. "Gauss is capable of 'disinfecting' the drive under certain circumstances, and uses the removable media to store collected information in a hidden file."

In its research, Kaspersky found that Gauss started operating in September 2011, but was not uncovered until June this year. By that time, Gauss's C&C infrastructure was shut down and Gauss is now in a dormant state.

Still, more than 2,500 infections were recorded by Kaspersky Lab since late May 2012, and the estimated number of those affected could be in the tens of thousands.

"This number is lower compared to the case of Stuxnet but it's significantly higher than the number of attacks in Flame and Duqu," Kaspersky said.

While there are similarities between Flame and Gauss, Gauss appears to be targeting Lebanon while Flame focused on Iran. Flame also had a lower infection rate, hitting about 700 machines.

"Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program. Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasising stealth and secrecy; however, its purpose was different to Flame or Duqu," Alexander Gostev, chief security expert at Kaspersky Lab, said in a statement. "Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information."

The malware got its name from German mathematician Johann Carl Friedrich Gauss; other components of Gauss refer to famous mathematicians like Joseph-Louis Lagrange and Kurt Gödel.

Kaspersky said that Gauss is a "nation-state sponsored cyber-espionage toolkit," but did not elaborate. Recently, the Stuxnet and Flame viruses were tied to the US and Israeli governments.