Malware related to Stuxnet and Flame found stealing bank information

Kaspersky Lab announced that it’s discovered a new piece of malware that specializes in obtaining login information for bank accounts in the Middle East. It’s called Gauss and is linked to Flame, Stuxnet, and Duqu.

“Gauss is a complex cyberespionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different to Flame or Duqu,” said Kaspersky Lab chief security expert Alexander Gostev in a statement. “Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

Kaspersky found the malware after digging deeper into Flame, a virus uncovered in May that was billed as one of the most advanced cyberespionage tools to date. Researchers said the malware has “striking resemblances” to Flame in the way it was designed. It seems Gauss shares the same source code from which Flame was built. But its actions are slightly different. While Flame installed a keylogger, turned on the computer’s microphone to record audio, and monitored “communications apps” such as IM, Gauss is focused on obtaining financial information.

Gauss is tailored to steal “access credentials” to Lebanese banks, which include the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais. Non-Lebanese entities that are also targets include Citibank and PayPal. This information, along with browser history, cookies, passwords, system configurations, and more, is sent back to the command and control servers. The malware, however, is in a veritable holding pattern since the command and control servers were shut down in July.

Kaspersky estimates that the number of infections are in the tens of thousands, but as of May around 2,500 infections were recorded. This is lower than Stuxnet, but higher than Flame, which Kaspersky says had around 700 infections.

In June, Kaspersky linked Flame to Stuxnet, the famous malware that hit Iran’s nuclear infrastructure in 2010. Many of Flames functions looked identical to those of Stuxnet’s, spurring Kasperky to dig deeper into the connection. Now the research firm says the two may have had creators that worked closely together, even sharing some of the same source code.

Gauss is the latest member of the family.

hat tip Wired; Image via Shutterstock