A new “cyber-espionage” toolkit that can track browser passwords, online banking credentials, cookies and other personal data has been identified in the wild, security researchers have announced. “Gauss” has until now been targeting users in the Middle-East, Kapersky Lab reports, exploiting previously-unseen loopholes and capable of stealing data from banks including Citibank, PayPal and Bank of Beirut. Somewhat bizarrely – and still unexplained – it also installs a special font on the victim’s machine.
The purpose of that font, called Palida Narrow, is currently unknown, though the trojan’s other abilities are more concerning. Gauss can infect USB drives and monitor browsers, sucking passwords, site history and other credentials and sending them to a remote command machine. It also runs a profile on the infected machine and reports that back, including details on network interfaces, BIOS and what drives are present.
Several Lebanese banks have been specifically targeted, with customers of the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais all apparently susceptible. Gauss has also been seen to target users of Citibank and PayPal.
While it shares features with Stuxnet and Flame, Gauss is said to be more complex in how it can hide on a system. Although it uses similar methods to infect removable drives, it’s also capable of “disinfecting” the drive if need be, at other times using it to store data in a hidden file so that it is not discovered by regular local-drive anti-malware scans.
Approximately 2,500 machines are believed to have been infected – more than three times as many as Flame – since what’s said to have been the first victim in September 2011. It’s unclear how the trojan is communicated, and who is remotely operating it.