New Cyber Threat Hits Middle East Banks

A complex new cyber-espionage threat that targets online banking has been uncovered in the Middle East, researchers told Sky News.

The "Gauss" malware has a striking resemblance to the Stuxnet and Flame programmes, and is so complex it could only have been developed in conjunction with a 'nation-state', according to cybersecurity firm Kaspersky Lab.

Analysts declined to speculate on who might be behind the virus, but said it shared elements of the same source code and basic architecture as Stuxnet, Flame and Duqu, and had likely originated in the same lab.

Both Israel and the US have been accused, and denied, having connections to Stuxnet, a cybersabotage programme apparently targeting computers in Iran, although also found in high concentrations in India and Indonesia.

The Stuxnet worm, one of the most sophisticated pieces of malware ever detected, was able to take control of industrial machinery  by hijacking control systems.

Flame and Duqu were cyber-espionage weapons, stealing sensitive information from infected computers, and in the case of Flame – able to access the target's keyboard and microphone.

Gauss appears to be in the cyber-espionage vein – but this time targeting financial information, and overwhelmingly focused on users in Lebanon.

Kaspersky says the virus can steal browser passwords and online banking account credentials, although they believe the malware is monitoring transactions, rather than stealing money.

Attacks are overwhelmingly focused on Lebanon, targeting customers of Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais, as well as users of Citibank and PayPal, which are popular in the country.

Alexander Gostev, Chief Security Expert at, Kaspersky Lab, said: "Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program.

"Similar to Flame and Duqu, Gauss is a complex cyber-espionage toolkit, with its design emphasizing stealth and secrecy; however, its purpose was different than Flame or Duqu.

"Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information."

The name "Gauss" was given by the malware creators and appears to reference the German mathematician Johann Carl Friedrich Gauss.

It was first discovered in June 2012, but subsequent analysis suggests it had been active since September 2011.

Kaspersky recorded 2,500 infections from late May 2012, but estimate the total number of victims could be in the tens of thousands.

Five command and control servers behind the attacks shutdown in July 2012, shortly after the virus was discovered, and the malware appears to be dormant at the moment.

Those servers have all been traced to fake domain names, registered to valid physical addresses, all of which appear to be unrelated public places.

The false identities target addresses in the US at first, before migrating to Portugal and India.

Gauss appears to be using a sophisticated method of transmission, with the ability to "disinfect" contaminated USB drives after a set number of executions, effectively covering its tracks.