Gyges malware now being integrated into ransomware and rootkits by cybercriminals
ZDNet reported that there is reason to believe “government-grade” malware called Gyges, designed to operate undetected on computer systems, is now in the hands of cybercriminals who are integrating it into rootkits and ransomware. Experts at Sentinel Labs security firm discovered Gyges malware in March 2014. The level of complexity of Gyges is very high, the experts have found similarities with malware used by the Russian Government as cyber weapon, this incarnation of the malware is targeting commercial sector.
As explained by the experts in an official report issued by Sentinel Labs, Gyges seems to be the result of the “contamination” of a very complex code used to avoid detection and the more quick and dirty executable that directs the payload. According to the report, the malware probably originated from Russia, and “is virtually invisible and capable of operating undetected for long periods of time.”
The most complex part of Gyges is represented by the evasion techniques; the malware is able to avoid controlled execution of the malicious code in a sandbox or in a virtual environment, a technique used by the security analysts to qualify the cyber threat. The author of the malware also designed a set of features to make harder the reverse engineer or debug of the malicious code.
According to the report, “This specific Gyges variant was detected by our on-device heuristic agents and caught our attention due to its sophisticated anti-tampering and anti-detection techniques. It uses less well-known injection techniques and waits for user inactivity, (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.” Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions).”
Gyges also includes sophisticated components for data exfiltration, keylogging, and eavesdropping of targeted networks. The dirty components added to the code by criminal gangs behind the malware campaign includes ransomware capabilities and a banking data stealer, revealing the financial motivations of the bad actors.
F-Secure’s Chief Mikko Hyppönen at the TrustyCon explains the risk that a Government-built malware and cyber weapons will run out of control, stating, “Governments writing viruses: today we sort of take that for granted, but 10 years ago that would have been science fiction.” He continues, “If someone had come to me 10 years ago and told me that by 2014 it will be commonplace for democratic, Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that’s exactly where we are today.”
The uncontrolled diffusion could happen in various ways — a data breach or the outsourcing of part of the development of the malicious code to malware authors. “It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands,” writes Sentinel Labs research head, Udi Shamir. “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized, and coupled with other malware to commit cybercrime.”
The report concludes, “The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code. The fact that “carrier” code can be “bolted on” to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats.”
The mixing of commercial malware with highly-sophisticated components derived by cyber weapons could generate new powerful cyber threats hard to detect and dangerous for every entities in the cyber space.