Russian-state malware used by cyber criminals in banking Trojans

By Graeme Burton
21 Jul 2014 View Comments
Security threats - password theft

Malware developed by the Russian intelligence service has been leaked to cyber-criminals and has been incorporated into "ransomware" and online banking Trojan toolkits.

That is the claim of Udi Shamir, chief research officer at threat analysis company Sentinel research.

Further reading

Sentinel first discovered the malware, dubbed Gyges, in March 2014. It is "virtually invisible and capable of operating undetected for long periods of time", according to Shamir's research.

Following an analysis and reverse engineering of the software, the company concluded that the malware was developed by the Russian state.

"It appears to originate from Russia and be designed to target [other] government organisations. It comes to us as no surprise that this type of intelligence agency-grade malware would eventually fall into cyber criminals' hands," according to Sentinel's analysis.

It continues: "This specific Gyges variant was detected by our on-device heuristic agents and caught our attention due to its sophisticated anti-tampering and anti-detection techniques.

"It uses less well-known injection techniques and waits for user inactivity, (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution."

The software exploits logic bugs in both Windows 7 and Windows 8 in order to gain elevated privileges.

"The Malware calls directly to low-level native system API's in order to bypass instrumentation tools or security software that is monitoring higher-level APIs such as the Win32 API libraries.

"Since Gyges was compiled as a 32-bit application running inside the Windows 64-bit operating system, it gets loaded inside the Windows-on-Windows (WoW64) subsystem during the switch from 32bit compatibility mode to 64bit mode referred to as 'Heaven's Gate'.

"The malware threads executing inside the WoW64 (emulation) environment can execute a FAR CALL instruction. When executing FAR CALL instruction, the processor can perform several calls including one that allows them to gain a higher privilege level," according to the research.

Sentinel claims that evidence within the code links it to Russian state cyber-espionage efforts. "It exhibits similarities to Russian espionage malware discovered earlier this year and shares the same crypto-engine," claims the research.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

55 %
16 %
7 %
19 %
3 %