A sophisticated piece of malware dubbed Gyges has been discovered for sale in the Russian cybercriminal underground. It’s virtually invisible and capable of operating undetected for long periods of time; and it appears to have originated as a state-sponsored piece of code.
As such, Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime, according to Sentinel Labs.
“We first detected Gyges with our heuristic sensors and then our reverse engineering task force performed an in-depth analysis,” explained Udi Shamir, head of research at Sentinel Labs, in a technical analysis. “It appears to originate from Russia and be designed to target government organizations. It comes to us as no surprise that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands.”
Gyges uses less well-known injection techniques and waits for user inactivity, as opposed to the more common technique of waiting for user activity. Shamir said that the method is clearly designed to bypass sandbox-based security products that emulate user activity to trigger malware execution. That level of innovation also points to government fingerprints in its authorship.
“The analysis of Gyges generated hundreds of indicators from our heuristics engine that provided new and intriguing findings,” he noted. “For example, Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8 (x86 and x64 versions). It also combines highly advanced anti-debugging and anti-reverse-engineering. Interestingly, the malicious code used for all of these evasion techniques is significantly more sophisticated than the core executable. That led us to believe that it was previously used as a bus or carrier for much more sophisticated attacks such as government data exfiltration.”
Eventually, Sentinel recovered government traces inside the carrier code, which it later connected to previous targeted attacks that used the same characteristics.
“At this point it became clear that the carrier code was originally developed as part of an espionage campaign,” Shamir said.
Specifically, it can be used for eavesdropping on network activities, key logging, stealing user identities, screen capturing and other espionage techniques.
It has criminal perks too, which is why it has made its way to the private sector, as it were. It can be used for money extortion via hard drive encryption (ransomware) and online banking fraud. It can also install rootkits and trojans, create botnets and zombie networks, and target critical infrastructure.
As such, the Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code.
Of course, by continuously monitoring activity on endpoints, the otherwise “invisible” malware cannot hide or evade detection. But other, more traditional techniques fall short at blocking a malware like Gyges, the researcher concluded.
“The fact that carrier code can be bolted on to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats,” Shamir said. “We have entered a new era. In addition to antivirus, even advanced protection measures including network monitoring, breach detection systems and sandboxing have become less effective at preventing and detecting advanced threats like Gyges before they can cause extensive damage.”
Brandon Hoffman, federal CTO for RedSeal Networks, told Infosecurity that as the public sector across the globe continues to expand espionage efforts, so does its responsibility expand to prevent leakage.
"Sophisticated code like Gyges was created for a specific purpose by, what appears to be a government agency, and it should have remained within the control of that agency," said Hoffman. "As growing contention amongst certain nations across fronts continues to increase it may be worth questioning if this code was released outside the agency on purpose to help fuel the non-official attack surface. From a technical perspective, this malware has already been discovered. Therefore, the threat from this specific component remains high due to sophistication and modularization, but changes to techniques for defense are not part of a call to action because of Gyges. Increased vigilance in security is recommended.”