Kaspersky Lab researchers are warning of a new form of government-sponsored malware called Gauss, which has already infected approximately 2,500 PCs, the vast majority of them in Lebanon.
"Gauss contains some of the same code as Flame, but is markedly different in a number of respects, specifically in its ability to steal online banking credentials and has an encrypted payload that experts haven't yet been able to crack," writes Threatpost's Dennis Fisher.
"The payload appears to be highly targeted against machines that have a specific configuration -- a configuration used to generate a key that unlocks the encryption," writes Wired's Kim Zetter. "So far the researchers have been unable to determine what configuration generates the key. They’re asking for assistance from any cryptographers who might be able to help crack the code."
"As with Flame, whoever controls Gauss can push various plug-ins to infected PCs," writes InformationWeek's Mathew J. Schwartz. "These plug-ins can do everything from relaying system configuration data and intercepted browser cookies and passwords to attackers, to stealing credentials used for Middle Eastern banks as well as social network login credentials. 'The modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss, and Joseph-Louis Lagrange,' according to Kaspersky Lab. "https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Why would government-created spyware steal access to users’ bank accounts? Kaspersky researcher Roel Schouwenberg suggests Gauss may have been part of [a] 'follow the money' surveillance operation," writes Forbes' Andy Greenberg"'Where Flame was cyberespionage, Gauss seems to be part of a broader cybersurveillance operation,' he says. 'We assume the attackers want to monitor the bank accounts of the targets, to see how the money is flowing.'"