Gyges, the mixing of commercial malware with cyber weapon code

Sentinel Labs firm discovered a sophisticated malware dubbed Gyges that is the mixing of commercial malicious code with code of alleged cyber weapon.

Experts at Sentinel Labs security firm have discovered Gyges malware in the wild in March 2014, the malicious code appears very sophisticated to the researches which attributed it to a state-sponsored project. The level of complexity of Gyges is very high, the experts have found similarities with malware used by the Russian Government as cyber weapon, but the concerning aspect of the story is that the malware is targeting commercial sector.

It is not clear how the experts have associated Gyges code to state-sponsored operation, the report doesn’t provide too much details on this aspect, it just highlights that the code was detected in previous targeted attacks, the experts also confirmed that there is no commercial malware with such level of complexity. .

As explained by the experts in an official report issued by Sentinel Labs Gyges seems to be the result of the “contamination” of a very complex code used to avoid detection and the more quick and dirty executable that directs the payload.

The most complex part of Gyges is represented by the evasion techniques, the malware is able to avoid controlled execution of the malicious code in a sandbox or in a virtual environment, a technique used by the security analysts to qualify the cyber threat. The author of the malware also designed a set of features to make harder the reverse engineer or debug of the malicious code.

“This specific Gyges variant was detected by our on-device heuristic agents and caught our attention due to its sophisticated anti-tampering and anti-detection techniques. It uses less well-known injection techniques and waits for user inactivity, (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.” Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8  (x86 and x64 versions) “states the report.

As explained in the report, Gyges also includes sophisticated components for data exfiltration, keylogging and eavesdropping of targeted networks. The dirty components added to the code by criminal gangs behind the malware campaign includes ransomware capabilities and a banking data stealer, revealing the financial motivations of the bad actors.

The circumstance that source code developed by a government is in the hands of cyber criminals is worrying and in line with predictions of security experts. F-Secure’s Chief Mikko Hyppönen at the TrustyCon explained the risk that a Government-built malware and cyber weapons will run out of control.

“Governments writing viruses: today we sort of take that for granted but 10 years ago that would have been science fiction,” “If someone had come to me ten years ago and told me that by 2014 it will be commonplace for democratic Western governments to write viruses and actively deploy them against other governments, even friendly governments, I would have thought it was a movie plot. But that’s exactly where we are today.” he said during his speech. 

The uncontrolled diffusion could happen in various ways, a data breach or the outsourcing of part of the development of the malicious code to malware authors.

“It comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands,” “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.” wrote Sentinel Labs research head, Udi Shamir.

Despite Russia is considered one of the most advanced cyber-powers, it’s hard to link a component of a malicious code discovered in the wild to its cyber units, today there is little knowledge of Russian cyber arsenal and its real capabilities that evolve rapidly. Recently BAE Systems Applied Intelligence disclosed a Russian cyber espionage campaign codenamed as SNAKE that targeted Governments and Military Networks.

The attackers behind the operation SNAKE penetrated highly secured systems all around the world, but most interesting revelation is that the Uroburos rootkit recently discovered by German security firm G Data Software was just one component of the overall SNAKE campaign.

Another interesting discovery was made early this month by experts at F-Secure firm which detected another strain of malware called Cosmu, which they suggested could be a Russian cyber weapon.

“The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code. The fact that “carrier” code can be “bolted on” to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats.” concludes the report.

The mixing of commercial malware with high sophisticated components derived by cyber weapons could generate new powerful cyber threats hard to detect and dangerous for every entities in the cyber space.

Pierluigi Paganini

(Editor-In-Chief, CDM)




July 25, 2014

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...