Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload

A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.

The malware, which steals system information but also has a mysterious payload that could be destructive against critical infrastructure, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.

The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

The discovery appears to add to the steadily growing arsenal of malware created by the U.S. and Israeli governments. That list includes the groundbreaking Stuxnet cyberweapon that is believed to have infiltrated and caused physical damage to Iran’s uranium enrichment program, as well as the spyware tools known as Flame and DuQu. But Gauss marks the first time that apparently nation-state-created malware has been found stealing banking credentials, something that is commonly seen in malware distributed by criminal hacking groups.

The varied functionality of Gauss suggests a toolkit used for multiple operations.

“When you look at Stuxnet and DuQu, they were obviously single-goal operations. But here I think what you see is a broader operation happening all in one,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.

The researchers don’t know if the attackers used the bank component in Gauss simply to spy on account transactions, or to steal money from targets. But given that the malware was almost certainly created by nation-state actors, its goal is likely not to steal for economic gain, but rather for counterintelligence purposes. Its aim, for instance, might be to monitor and trace the source of funding going to individuals or groups, or to sabotage political or other efforts by draining money from their accounts.

While the banking component adds a new element to state-sponsored malware, the mysterious payload may prove to be the most interesting part of Gauss, since this part of the malware has been carefully encrypted by the attackers and so far remains uncracked by Kaspersky.