Gauss the malware - An electromagnetic cyber espionage tool

--Written by Moophz Himself (@Moophz)

Cyber missiles hitting the Middle East again in particularly Lebanon, more profoundly into its banking sector.

Gauss the malware; cousin of StuxNet, DuQu and Flame (the one targeted the nuclear power plant infrastructure of Iran), they all work under the same core functions and all have the same very well known source: The “X Government”. One of the main differences between them all is that Gauss is the smartest till now.

The internet is flooded by technically related reports (found at the end of this page), this tiny article will be digging into the non technical side effects (A.K.A الإِستدلال بالإِسطنباط).

Gauss cleared its traces 2 months ago after 8 months of operational information gathering; the self demolition part  made researches' lifes hard to identify the real REAL infection transmission.

Situation 1: Kaspersky reported that between 2500 infections 1655 were located in Lebanon (=66.2 %)
Conclusion 1: LEBANON is targeted. (Q1: Why Lebanon?)

Situation 2: The malware scans internet transactions and browser cookies for the below keywords to be stored into its logs (to later on transmit back to its operation central unit):
paypal, mastercard, eurocard, visa, americanexpress, bankofbeirut, eblf, blombank, byblosbank, Citibank, fransabank, yahoo, creditlibanais, amazon, facebook, gmail, hotmail, ebay, maktoob.
Conclusion 2: As a first glance it can be noted that monetary cyber services are being embattled. The Banking sector was pwned by the biggest share, it included the biggest banks of Lebanon and excluded SGBL with Audi Bank (the highest ranked in Lebanon with a vast expansion in the surrounding countries).
(Q2 : Why the Lebanese Banking Sector ? Q3: Why exclusoin of Audi Bank and SGBL?)
Not to forget, the US department of justice accusted "Lebanese Canadian Bank" for being a major money laundry source for Hezbollah, this bank was suddenly merged with SGBL (Societe Generale). Are those banks are white listed now?

Q1: Why Lebanon?
Politically and financially : Banking in Lebanon is the most stable sector and managed to conquer the hardest financial crisis; shaking it might lead the entire financial institution to collapse and dive into a systematic political chaos all over the country. So gaining control over this sector escalates your privileges to peacefully gain control over the country itself.

Q2: What makes Lebanon more affected than others?
Q3: What makes Lebanon the most targeted among others?

  1. Lack of IT Security awareness.
  2. A non negligible part of them are reactive and wait to be attacked in order to react and start fixing.
  3. The combination of  being the "less corrupt institution" with its “Banking Secrecy Law”; makes bribing (usually the easiest way) as an invalid solution and reaching financial information almost impossible. This triggers the need for an espionage cyber weapon tool.

Q4: What made Lebanon targeted BY the X Government again?

A4: A2 + A3 plus:

  1. Monitor monetary transactions between Lebanon’s so called ‘friends’ countries.
  2. The interest in tracing financial transactions between Hezbollah, pro-Syrian and pro-Iranian organizations.
  3. Monitor banking accounts for Arab leaders benefiting from the secrecy law trying to escape their ‘monitored’ countries.

Back to technical, the malware is a data mining engine and wasn't directly oriented into the listed banks information systems but into their customers, that doesn't mean that their information systems are clean, but it would be a scandal if banks employees workstations were discovered infected.
Kaspersky lab researchers are currently working on the logs analysis and decipherment consolidated by Gauss, we'll be expecting results in the near future.

Just to close, it’s evident to note that creators of the internet are ruling under the title “My internet, My rules”, it will be so outrageous to the Lebanese banking system if the mined data was leaked, it will be the biggest breach in the history of the Secrecy law; but now think how armageddonnish to the middle east will be if Stuxnet, DuQu and Flame’s gathered information was leaked to the masses.

 

Additional references for Lebanese banking system historical attacks:
Skimming summer 2009 - Payment cards Fraud
Lebanese Canadian Bank accused by FBI as a major money laundering source for Hizballah

Technical reports:
The most detailed article from Kaspersky lab blog
Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload

10 Curious tech facts about Gauss – the malware