Additional Information on Gauss and Flame Leads to Different Conclusion

UPDATE: In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates. 

We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.

Like the team at Kaspersky and the many others who actively participate in security research, the FireEye Lab is committed to improving the understanding of the most prevalent and dangerous cyber threats today. As we all know, it is not an easy job. We appreciate the feedback we receive from the security community, and our experience today is just one lesson on the need for even greater intelligence sharing and collaboration among the many talented groups and individuals in our field.


The original blog post has been left intact below.

The Gauss malware, which was in the media recently for its stealth and notorious payload, is now back from its dormant state with a surprise. We recently discovered a very interesting shift in the Gauss malware CnC communication. Gauss bot masters have directed their zombies to connect to the Flame/SkyWiper CnC to take commands.

Previously Kaspersky found intriguing code similarities between Gauss and Flame, but this shift in its CnC confirms that the guys behind Gauss and Flame/SkyWiper are the same.

Before I go further let us take a look at the latest Gauss communication.

Gauss_screeshot

Figure 1. Gauss communication

The base domain in the above CNC is on the two dominant ones Gauss uses. Consider following two base domains where “x” may be a, b, c or d.

x.gowin7.com

x. secuurity.net

Previously these domains were resolving to the following IPs located in Portugal and India.

109.71.45.115

182.18.166.116

109.71.45.115

182.18.166.116

However recently the guys behind Gauss have changed their A records and all the sub-domains are now resolving to the IP address 95.211.172.143 which is the Flame/SkyWiper CnC IP located in Netherland. Following are the resolutions for one base domain:

Name:    a.secuurity.net

Address:  95.211.172.143

 

Name:    b.secuurity.net

Address:  95.211.172.143

 

Name:    c.secuurity.net

Address:  95.211.172.143

 

Name:    d.secuurity.net

Address:  95.211.172.143

Similarly all subdomains of gowin7.com are also resolving to the same Flame/SkyWiper CnC IP.

Following are some of the domains which Flame/SkyWiper originally used in its campaign pointing to the same CnC IP 95.211.172.143.

dnslocation.info

nvidiasoft.info

flashupdates.info

dnsportal.info

dnsupdate.info

videosync.info

syncdomain.info

rendercodec.info

 

It seems like these guys are getting more confident and blatant with each passing day. Previously in case of Flame, anonimity feature was used while registering domains, they could have done the same for Guass but they opted for fake names like Adolph Dybevek, Gilles Renaud etc and now they are openly sharing resources and adding more modules/functionalities (banking as recent example) to their malicious software.

 Two of the infected machines we found were in the U.S. and part of very

well-reputed companies. We here at FireEye are continuously monitoring these APTs and will update with any additional information we find.

In an earlier post, "New Evidence: Guys Behind Gauss and Flame are the Same,' we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates. 

We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions.

Like the team at Kaspersky and the many others who actively participate in security research, the FireEye lab is committed to improving the understanding of the most prevalent and dangerous cyber threats today. As we all know, its not an easy job. We appreciate the feedback we receive from the security community, and our experience today is just one lesson on the need for even greater intelligence sharing and collaboration among the many talented groups and individuals in our field.