Animal Farm: Babar, Casper, and Evil Bunnies

After Babar malware, security researchers detected a new strain of malware dubbed Casper that appears to be linked to the French intelligence service.

Surveillance is the primary goal of Intelligence Agencies worldwide, a few weeks ago cyber security researchers detected a new malware, dubbed Babar, that is considered a product of the French intelligence. According to the experts, Babar malware was used by the General Directorate for External Security (DGSE) for surveillance and cyber espionage operations.

The General Directorate for External Security  is the France‘s external intelligence agency, which is controlled by the French ministry of defence, in charge of intelligence activities and national security. Casper was discovered by Canadian malware researchers that linked it to the French General Directorate for External Security.

Babar is a powerful spyware package that is capable of eavesdropping on online conversations held via popular messaging platforms, including Skype, MSN and Yahoo messenger, as well as logging keystrokes and monitoring victim’s web activities. Babar was used to spy on several Iranian nuclear research institutes and universities, but it was used also to monitor activities of European financial institutions. The name Babar is reported in one of the documents leaked by NSA whistleblower Edward Snowden. The secret slides produced by the Canadian intelligence agency linked Babar to the French Government.

babar malware

 

Now, security experts have spotted a new malware, dubbed Casper, which is a spyware designed to track Internet users for surveillance purpose. Casper malware was used by the hackers to compromise target systems, spy on them and drop other advanced persistent malware.

casper

“According to the report, which Motherboard reviewed in advance, Casper was hosted on a hacked Syrian government website in April of last year. The incident caught the attention of some security researchers because the attackers used two zero-day vulnerabilities to infect victims” states a blog post published by the Motherboard news portal.

The report analyzed by Motherboard revealed that Casper was designed by a French hacking group, linked to the French government, to conduct several espionage campaigns over the last few years. As explained in the report the hacker behind Casper had access to two zero-day exploits that were used in an instance detected in April 2014.

Security researchers believe that Casper requested a significant effort for its development in term of resource and financial investment, a prerogative of Government-built malware.

Babar and Casper have the same root

Malware specialists have discovered several similarities between Casper and Babar, and the experts suggest that Casper was “likely” developed by the same group behind Babar. It seems that these and other hacking tools are part of the French cyber arsenal.

In December 2014, a Cyphort Labs firm detected a sophisticated strain of malware sample implementing a very complex evasion technique. “The malware is dubbed ‘EvilBunny’ and is designed to be an execution platform for Lua scripts injected by the attacker. ” According to the new report written by Joan Calvet, a malware researcher at anti-virus maker ESET, the EvilBunny together with other hacking tools, like the NBOT tool, suggested ties to the French intelligence services.

Casper vs NBOT similar babar

“We have reasons to believe that French intelligence has been using—or is even still using—at least four different malware families,” Marion Marschalek, another researcher who worked with Calvet and Paul Rascagneres in investigating the malware, told Motherboard.

Casper is just the latest tool in order of time to be linked to the Animal Farm group. Security researchers believe Casper has been active since at least 2009 or 2010.

“Other security researchers agree that Casper, perhaps named after the famous cartoon “friendly ghost,” was likely created by the French government and its spying agency the General Directorate for External Security (DGSE). They refer to the hacking group as the “Animal Farm” because of each malware’s animal-like and cartoon-inspired names.” continues the Motherboard.

Costin Raiu, the director of the Global Research and Analysis Team at Kaspersky Labs, confirmed that his team has been tracking Animal Farm since 2013, the popular expert has no doubt on the nature of the hacking collective behind Casper.

“When you have such a large-scale operation going on for several years using multiple zero-days without any kind of financial outcome,”Raiu told Motherboard, “it’s obvious that it’s nation-state sponsored—it has to be.”

France’s Defense Ministry did not respond to Motherboard’s requests for comment.

###

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security) Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.