(originally published 7/21/2014)
Sentinel labs released an intelligence report on 16 July 2014, detailing a new type of malware dubbed Gyges, that it originally detected in March of this year.
After Sentinel detected the malware, they started to reverse-engineer it, and found some a number of aspects that point to this software being developed originally by a government, and used for cyber-espionage. For instance:
- The malware utilized a heavily modified version of the Yoda protector, ‘which provides polymorphic encryption and anti-debugging’, and which is similar to other Russian malware discovered earlier.
- It’s designed to be very quiet, and to activate when user activity is low (as opposed to most malware, which looks for high user activity levels).
- It calls directly to low-level API’s to bypass monitoring/instrumentation/security tools, decreasing chances for detection.
- It uses a protector to split the malware into sections, which only run as needed, and use virtual machine code to make it harder to decode and analyze.
An interesting aspect about Gygax is that it was most likely created as a delivery mechanism, for an even more sophisticated payload application that (as far as I know) is yet to be detected.
But an even more interesting thing about Gygax is that it illustrates the blurring lines between government and criminal enterprises in much of the world. It’s long be a general maxim in cyber-security that cyber-espionage tools are very advanced, and designed to be very quiet, with a goal of remaining in a target environment for as long as possible. Cybercriminal malware and attacks, in contrast, took more of a ‘smash and grab’ approach, getting in quickly, stealing data, and getting out quickly, without much thought to stealth.
But, as we’re starting to see, that approach may be more of a sign of the lack of sophistication of many criminal hackers, and once those same hackers gain the ability to quietly infiltrate their targets and enter and leave undetected, they’re quite willing to do so, and pay for software that will allow them to do it. All of which points to interesting times ahead.
