It was only a matter of time until cyber criminals got their hands on a piece of government-made malware and repurposed it for their own criminal needs.
Sentinel Labs researchers have unearthed and have managed to analyze a variant of the malware they dubbed Gyges, which they believe was previously used as a “carrier” for state-sponsored attacks aimed at exfiltrating government data.
In the hands of cyber crooks, this carrier is used to deliver ransomware, rootkits and banking trojans.
Gyges is extremely sophisticated. It uses less-known injection techniques, and highly advanced anti-debugging and anti-reverse-engineering.
“Interestingly, the malicious code used for all of these evasion techniques is significantly more sophisticated than the core executable,” the researchers pointed out, adding that that made them dig deeper and eventually discover government traces inside the code.
The malware waits for user inactivity to start doing its thing. It targets Microsoft Windows 7 and 8, is packed with heavily modified Yoda protector, which provides polymorphic encryption and anti-debugging to hide malicious behaviour, and shares the same crypto engine as the previously mentioned Russian espionage malware.
“The fact that ‘carrier’ code can be ‘bolted on’ to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for detecting advanced threats,” the researchers concluded.
“We have entered a new era. In addition to antivirus, even advanced protection measures including network monitoring, breach detection systems and sandboxing have become less effective at preventing and detecting advanced threats like Gyges before they can cause extensive damage.”
For additional technical details about the malware’s behaviour and capabilities, check out the researchers’ report.