There’s a new piece of malware targeting government organizations – and according to the security researchers who unearthed it, it’s basically invisible and can avoid being detected for a long period of time.
The name of this new variant is Gyges and it’s said to potentially come from Russia as a type of malware using lesser-known injection techniques. In a new report, researchers from Sentinel Inc. described how they uncovered it and how it works.
Waiting for user inactivity, Gyges escapes detection by sandbox-based security products, doing basically the opposite of what a lot of malware does to trigger execution. The malware exploits a logic bug in Windows 7 and Windows 8, but it’s also very good at cloaking itself and hiding from security products that would be able to detect it – leading researchers to believe it was once a “carrier code” attached to other kinds of malware, mostly used for stealing government data.
So what’s the danger of this? Within the government, hackers have been able to exfiltrate data and eavesdrop on networking activities. They’ve also been able to use the malware to do keylogging, to steal user identities, and to take surreptitious screen captures, while stealing intellectual property.
Nor do Gyges’ uses stop there. Hackers have also used it as a form of ransomware, encrypting consumers’ hard drives and only unencrypting them when they receive payment. Sometimes they use it for online banking fraud as well – and on a distribution level, Gyges allows hackers to install rootkits and Trojans, as well as to build botnets and zombie networks.
“The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code,” Sentinel Labs’ researchers wrote in their report.
“The fact that “carrier” code can be “bolted on” to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats.”
They added that even though IT administrators have security products like networking monitoring, breach detection systems, and sandboxing at their disposal, these may not always be enough in the face of advanced threats like Gyges.
For security professionals looking to avoid attacks from malware variants like Gyges, researchers recommend continuous monitoring of the endpoint, as well as on targeted devices. That way, malware can’t as easily escape detection.
Head on over here for the full report.