France fingered as source of Syria-spying Babar malware
Crack team of malware boffins think DGSE coded reconware
France's spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say.
The Casper malware is one of a handful with links to the Babar spy program which leaked NSA documents revealed last month to be the handiwork of France's Direction Générale de la Sécurité Extérieure (General Directorate for External Security or DGSE).
Barbar emerged in 2009 and has since been used to steal keystrokes, clipboards and listen in on Skype conversations among other feats of interception.
ESET malware analyst Joan Calvet says in a report on Casper it appears to have recently been used in April 2014 actions against Syrian targets.
"To attack their targets, Casper’s operators used zero-day exploits in Adobe Flash, and these exploits were – surprisingly – hosted on a Syrian governmental website," Calvet says.
"Casper is a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines."
"These targets may have been the visitors of the jpic.gov.sy website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website."
The Syrian website may have been used as a means to store Casper's binaries and command and control componentry while concealing and misdirecting the identity of attackers.
Casper, analysed in a joint effort between malware researchers Marion Marschalek of Cyphort, Paul Rascagnères of GData, and security bods from the Computer Incident Response Center Luxembourg, could not be definitively pinned on France according to the technical analysis.
Bit Calvet was able to obtain Casper samples through ESET's malware network and found it matched with the same Flash exploits Kaspersky researcher Vyacheslav Zakorzhevsky reported was used on the site last April.
Caper is notable in its identification and evasion of specific versions for four anti-virus platforms including BitDefender, PC Tools, and Avast which it identified on a target's Windows machine using the Windows Management Instrumentation facility.
Calvet says this suggests authors have "in-depth knowledge" of the way those anti-virus products work.
The malware flees a target machine if a product is detected or injects code into a new process if it is found vulnerable, and receives instruction data with a now offline command and control server including the ability to deploy additional plugins.
The research team found its payloads were very similar to those under the DGSE's project researchers dub Animal Farm under which Babar and the Bunny and NBOT malware were developed.
"None of these signs alone is enough to establish a strong link but all the shared features together make us assess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same organisation," Calvet says.
Kasperksy malware boffin Costin Raiu who indecently analysed Casper told Motherboard the advanced Animal Farm hacking operation was likely the work of a nation state given the absence of financial gain.
“When you have such a large-scale operation going on for several years using multiple zero-days without any kind of financial outcome,” Raiu says.
"It’s obvious that it’s nation-state sponsored — it has to be.” ®