Gauss: A Government Cyber Espionage Tool With Mysterious ‘Warhead’

A fresh piece of government-created malware has been spotted and it has a hidden payload that could cause carnage, security researchers have warned.

Known as Gauss, it is believed to be the work of the nation state or states who created the Flame cyber espionage tool, meaning it is also related to the Stuxnet and Duqu malware. Stuxnet and Flame are both believed to have been created by the US and Israel, meaning those two countries have again been implicated in another cyber espionage campaign.

The secret “warhead” contains an “unknown, encrypted payload which is activated on certain specific system configurations”, Kaspersky said. It has called for world class cryptographers to help figure out what the “special payload or time bomb” is in Gauss’ USB data-stealing payload.

Government wants to steal your money too?

Discovered as part of an ongoing investigation involving Kaspersky and the International Telecommunication Union (ITU), Gauss is the first known example of a government-created cyber tool that looks to steal banking information.

Lebanon has the most infections with 1660, where Gauss has tried to steal and monitor data from the clients of several Lebanese banks. In addition, it was seen targeting users of Citibank and PayPal.

Outside of pilfering banking data, Gauss is able to hijack account information for social network, email and IM accounts, intercept browser cookies and passwords, harvest and send system configuration data to attackers and infect USB sticks with an information-stealing module. That means it can move across machines, if users are foolish enough to share data sticks. It can collect data on a system’s BIOS too.

Since late May 2012, Kaspersky has spotted more than 2,500 infections., meaning the total number of victims of Gauss is probably in the tens of thousands. Outside of Lebanon there were over 40 victims in the US, as well as a small number in UAE, Qatar, Jordan, Germany and Egypt.

Kaspersky said it was fairly certain Gauss was related to Flame and Stuxnet, although it bore a stronger resemblance to Duqu.

“Gauss’ highly modular architecture reminds us of Duqu – it uses an encrypted registry setting to store information on which plugins load, is designed to stay under the radar, avoid security and monitoring programs, and performs highly detailed system monitoring functions,” the Russian security company said in a blog post.

“We are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu.”

Yet Gauss does not currently appear to be as smart as its relations. Kaspersky has not seen it take advantage of any zero day vulnerabilities, nor had the attackers got their hands on the holy grail of hacking and created fake certificates for malicious Windows updates as Flame’s overlords did to spread the malware.

It is not as heavy as Flame either, with the “mother-ship” module a little over 200K. It has the ability to load other plugins which altogether count for about 2MB of code, but that is still no way near Flame’s 20MB. Gauss was also programmed in C++ – the standard code used in most malware, whereas its cousins used more esoteric languages such as LUA.

The tool was most likely created in mid-2011 and deployed for the first time in either August or September last year. However Gauss’ command-and-control (C&C) infrastructure was shut down in July 2012 and at the moment, the malware is in a dormant state.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

20 hours ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

23 hours ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

1 day ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

2 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

2 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

2 days ago