Researchers at security firms ESET and Cyphort continue to analyze the malware families believed to have been developed by a French intelligence agency. The latest threat uncovered by experts has been dubbed “Casper.”
In March 2014, the French publication LeMonde published some slides from Canada’s Communications Security Establishment (CSE) describing “Operation Snowglobe,” a campaign discovered by the agency in 2009. Additional slides were made available by the German publication Der Spiegel in January 2015. The presentation revealed details on a piece of malware named Babar, which appeared to be the work of a French intelligence agency.
Based on the information from the slides, researchers first uncovered a piece of spyware, dubbed “EvilBunny,” which they believe is linked to Operation Snowglobe. Last month, G DATA and Cyphort published the details of a threat which they believe is Babar, the malware described in the CSE slides. Now, they have come across Casper, which also appears to have been developed by the same authors.
Casper and the links to other cartoon malware families
The new threat has been dubbed Casper because its dropper implant is a file named Casper_DLL.dll. The name could stem from the animated cartoon series “Casper the Friendly Ghost.”
According to ESET and Cyphort, Casper appears to be a reconnaissance tool designed to harvest information on the infected system, including OS version and system architecture, default Web browser, running processes, installed applications, apps that run on startup, and country and organization details.
Researchers have determined that Casper uses an interesting technique to evade detection by security solutions. The espionage tool checks to see which antivirus is running on the infected system. A different strategy, which defines how the malware behaves, is available for four different antiviruses. If no antivirus is found, or if there is no specific strategy for the installed security software, a default strategy is applied.
Experts discovered several similarities between Casper, Babar, EvilBunny and NBOT, a threat that also seems to be linked to the cartoon malware families.
The list of similarities includes enumeration of installed security solutions through Windows Management Instrumentation (WMI), a hashing algorithm used for hiding calls to API functions, unhandled exception filters, payload deployment through remote thread injection, embedded and encrypted configuration in XML format, and proxy bypass code.
Casper attacks in Syria
Unlike Babar and EvilBunny, Casper appears to be a newer family that has been used in attacks as recently as April 2014. An operation involving the threat was spotted by Kaspersky in mid-April 2014. At the time, researchers noticed that jpic.gov.sy, a complaint website set up in 2011 by the Syrian Ministry of Justice, had been leveraged in a watering hole attack that involved an Adobe Flash Player zero-day exploit (CVE-2014-0515).
Kaspersky researchers could not identify the payload that had been served, but ESET, Cyphort, G DATA and the Computer Incident Response Center in Luxembourg (CIRCL) determined recently that it was likely Casper.
“According to our telemetry data, all the people targeted during this operation were located in Syria. These targets may have been the visitors of the jpic.gov.sy website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website,” ESET researcher Joan Calvet noted in a blog post.
“But we were actually unable to determine if this were indeed the case. In other words, it is just as likely that the targets have been redirected to the exploits from another location, for example from a hacked legitimate website or from a link in an email. What is known for sure is that the exploits, the Casper binaries and the C&C component were all hosted on this website’s server,” Calvet added.
Attribution and motivation
One possibility is that the attackers used the Syrian server for storage. They might have wanted to be able to access the data from within Syria, or they might have wanted to throw off investigators and make them believe the Syrian government was behind the attack.
Cyphort researcher Marion Marschalek noted that while the source code base suggests that the same authors are behind Casper, EvilBunny, Babar and NBOT, it doesn’t necessarily mean that all of the attacks involving these malware families were carried out by the same actor.
“Taking into account that the geographical area targeted by Casper is of high political interest for many parties and that the malware’s intention is clearly the preparation of a more targeted attack we expect the nature of the attack to be of political rather than criminal intent,” Marschalek said in a blog post.
“The considerably high amount of resources spent on development and distribution of the malware support this theory. Development of targeted malware with a level of sophistication shown by Casper requires a skilled team of developers; also the use of 0-day exploits in the distribution process leaves the conclusion the operators were very well funded,” Marschalek added.
In the case of Casper, ESET noted that there is no evidence linking the malware to French intelligence.
The theory that a French intelligence agency is behind the cartoon malware families is mainly supported by evidence presented by CSE for Babar. The presumption that the French government is involved is based on the list of targets, the countries where the attack infrastructure was hosted, the fact that “Babar the Elephant” is a fictional character from a French children’s book, a nickname used by one of the malware developers (titi), and some language and regional settings.
Other cartoon malware families
Kaspersky has also been monitoring this advanced threat actor, which it has dubbed “Animal Farm.” According to the security firm, the group uses a total of six major malware families. In addition to Casper, Bunny, Babar and NBOT, Kaspersky has observed Dino, a full-featured espionage platform, and Tafacalou (also known as TFC and Transporter), a validator-style Trojan.
Kaspersky has also identified a link to France. Experts believe the name Tafacalou, which is used internally by the threat actor, could stem from “Ta Fa Calou,” which means “so it’s getting hot” in Occitan, a language spoken in southern France, Monaco, and some parts of Spain and Italy.
*Updated with information from Kaspersky on the Animal Farm APT