Researchers at Palo Alto Networks have come across a 2007 variant of Babar, a piece of malware believed to have been developed by a French intelligence agency.
The activities of the cyber espionage group known as the Animal Farm came to light in March 2014, when a French publication released a series of slides from Edward Snowden. The slides belonged to Canada’s Communications Security Establishment (CSE) and they detailed an espionage campaign dubbed “Operation Snowglobe.”
Further analysis by various security firms revealed that the Animal Farm group had been using several pieces of malware whose names have been inspired by cartoon characters, including Babar, Dino, Casper and Bunny. Other malware families used by the threat actor are NBot and Tafacalou.
The group, previously believed to have been active since at least 2009, has targeted government organizations, military contractors, private firms, media companies, activists, and humanitarian aid organizations in many countries around the world.
Back in 2015, Kaspersky mentioned that it had found evidence of some Animal Farm malware being developed as far back as 2007, but the company did not share any details. Palo Alto Networks now says it has found a 2007 version of Babar, also known as Snowball. Researchers pointed out that the previously analyzed samples of this malware had dated back to 2011.
“Analysing historical malware samples helps us learn about its set of features and technical capabilities. This helps us compare a tool used by one adversary to that used by similarly adversaries at that time,” Palo Alto’s Dominik Reichel said in a blog post.
Researchers analyzed a loader with a compilation timestamp of 11/09/2007 11:37:36 PM and a payload apparently compiled 10 seconds later. While timestamps can be modified, experts believe these are genuine.
This version of Babar was capable of obtaining information about the compromised machine, rebooting or shutting down the infected system, downloading files, and killing arbitrary processes. When obtaining information on the default Web browser, the malware uses a method that does not work on Chrome, which Google released in 2008, further indicating that the samples were truly developed in 2007.
Researchers also pointed out that the malware had abused the official website of the Permanent Council of Accounting of the Democratic Republic of the Congo (cpcc-rdc.org) for command and control (C&C) communications.
Experts also found a design flaw that resulted in configuration data that should have been encrypted to be accessible in clear text, which is surprising considering that the malware was developed by a sophisticated actor.
Code and structure analysis suggests that the Casper malware used by Animal Farm is based on this version of Babar.
Overall, Palo Alto Networks believes this piece of malware is “only average” compared to other malware created at that time by threat groups believed to be backed by nation states, such as Regin or Careto.
The theory that a French intelligence agency is behind the Animal Farm is based on information from the CSE slides, the targeted entities, language and regional settings, and various strings found in the malware code. Palo Alto Networks’ analysis also found that the loader and the main payload for the 2007 version of Babar had the resource language ID set to 1036, which corresponds to French.
