14 DAY TRIAL // Gyges, a piece of malware that seems to have been designed for spying on government organizations, appears to be operated by cybercriminals at the moment.
The malicious software was discovered in March 2014 by Sentinel Labs, who proceeded to reverse engineering it in order to analyze its components and capabilities.
According to the company, Gyges can be considered as an early example of how state-sponsored malicious code can be repurposed and improved through the addition of new modules by motivated individuals in the underground.
Sentinel Labs dubs this threat “the Invisible Malware” because of the complex anti-tampering and detection mechanisms it integrates. They say that less known injection techniques are leveraged and it operates when the user is inactive.
Moreover, it seems that it can bypass sandbox-based security products and it is resistant to debugging and reverse engineering. All this, combined with data logging (recording of keystrokes, screen captures) and exfiltration capabilities, made it easy for criminals in whose possession it has fallen to use it as a starting point.
Sentinel Labs said that they detected government traces in the code, although they noticed the malware being used in malicious campaigns designed for money extortion through encryption of the victim’s data and banking fraud.
The origin of this code is likely to be Russia, and it could have been created to for snooping on government organizations.
“The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code,” concludes the report from Sentinel Labs.
Brandon Hoffman, federal CTO for RedSeal Networks, points out the increase in the sophistication of cybercriminal activity, which could sometimes be pinned on the attempt of government organizations trying to mask their cyber espionage actions by releasing the malware they used.
“Sophisticated code like Gyges was created for a specific purpose by, what appears to be a government agency, and it should have remained within the control of that agency.
"As growing contention amongst certain nations across fronts continues to increase, it may be worth questioning if this code was released outside the agency on purpose to help fuel the non-official attack surface,” he told us via email.
He also asserts that the defense techniques should be revised and improved, just like new threatscape expands through malware modularization in order to increase in functionality and complexity.
RedSeal Networks is a provider of end-to-end network visibility and analytics, designed to prevent cyber-attacks.