Sentinel Labs researchers recently detected what they describe as “virtually invisible” malware called Gyges, which appears to have originated in Russia as part of a government espionage campaign.
“This specific Gyges variant … caught our attention due to its sophisticated anti-tampering and anti-detection techniques,” Sentinel head of research Udi Shamir wrote in a report [PDF] on the malware. “It uses less well-known injection techniques and waits for user inactivity (as opposed to the more common techinque of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.”
The name is appropriate — in Greek myth, the Ring of Gyges gave its owner the ability to become invisible.
The malware, which targets Windows 7 and Windows 8 platforms, includes functionality for keylogging, eavesdropping on network activities, data exfiltration and theft of user identities. It’s also capable of installing rootkits and Trojans, and of functioning as ransomware.
“We have entered a new era,” Shamir wrote in the report. “In addition to anti-virus, even advanced protection measures including network monitoring, breach detection systems and sandboxing have become less effective at preventing and detecting advanced threats like Gyges before they can cause extensive damage.”
Sentinel CEO Tomer Weingarten told SC Magazine that the malware is now being used primarily for ransomware attacks, and is being spread by drive-by download and phishing. “This is a trend we are seeing — sophisticated malware being repurposed,” Weingarten said. “And with the growing activity of these evasion techniques, it’s very easy to infect a machine today. I think we’ll see more of this activity occurring.”
“We have all been seeing a rise in the sophistication of cybercriminal activity and the expansion of the cyber battlefield. … Sophisticated code like Gyges was created for a specific purpose by what appears to be a government agency, and it should have remained within the control of that agency,” RedSeal Networks federal CTO Brandon Hoffman said by email. “As growing contention amongst certain nations across fronts continues to increase it may be worth questioning if this code was released outside the agency on purpose to help fuel the non-official attack surface.”
If it was developed by the Russian government, Gyges would hardly be the first example of government-developed malware in the wild — back in 2011, a Trojan was uncovered that appeared to have been developed by the German government to intercept instant messaging communications, and in December of 2012, FireEye researchers came across the Sanny malware, which appeared to have been developed in Korea to target Russia’s space research, information, education and telecommunication industries.
And earlier this month, Symantec researchers warned of a group called Dragonfly or Energetic Bear, based in Russia, which has compromised several energy grid operators, electricity generation firms, petroleum pipeline operators and industrial equipment providers in the U.S., Spain, France, Italy, Germany, Turkey and Poland. “Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability,” the researchers wrote at the time.