Government-grade malware in hacker hands

New research suggests that 'government-grade' malware designed to operate undetected on computer systems is in the hands of cybercriminals who are integrating it into rootkits and ransomware.
Written by Charlie Osborne, Contributing Writer

"Government-grade" malware, which lurks in computer systems undetected for long periods of time, is believed to be in the hands of hackers using it to make rootkits and ransomware more potent.

According to security researchers at Sentinel Labs, malware originally created for the purpose for government espionage, dubbed Gyges, is now undergoing a transformation as hackers are using the software to make their own rootkits and ransomware more sophisticated and harder to detect.

Gyges was discovered in March this year by Sentinel Labs Research Lab, as detailed within the company's latest intelligence report (.PDF). According to the report, the malware probably originated from Russia, and "is virtually invisible and capable of operating undetected for long periods of time."

"It comes to us as no surprise that this type of intelligence agency-grade malware would eventually fall into cybercriminals’ hands," Sentinel Labs states. "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime."

While Sentinel Labs was able to detect the government-grade malware with on-device heuristic sensors, many intrusion prevention systems would miss it. Gyges uses "sophisticated anti-tampering and anti-detection techniques," as well as lesser known injection techniques. The malware waits for user inactivity before operating — in direct contrast to popular methods that activate when a user is active — which helps it avoid detection by sandbox-based security tools.

The malware also uses a hooking bypass technique that exploits a log bug in Windows 7 and 8, both x86 and x64 versions, contains anti-debugging and anti-reverse-engineering defenses, and uses a "protector," Yoda, which obscures malicious activity by converting the application into sections.

Gyges can be bolted on to other malware, making malicious code more difficult to detect. While the researchers believe that Gyges may have been used in ransomware, such as CryptoLocker, they also believe that the code was designed to be a "carrier" for sophisticated attacks — such as the infiltration of government systems in order to steal valuable and sensitive information. The carrier could be used to insinuate code into systems, which allows for keylogging, spying, screen capture and data theft.

By bolting the sophisticated code on to less sophisticated malware, such as rootkits and ransomware, rates of infection can be increased — as well as duration. This, in turn, can give cybercriminals a better return on investment if they are tacking on Gyges to make ransomware harder to detect and remove — which can then be used to force computer users to hand over financial data and pay unlock fees.

Sentinel Labs says:

The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code. The fact that "carrier" code can be "bolted on" to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end of life for detecting advanced threats.

Editorial standards