Search the Community
Showing results for tags 'babar'.
Researchers at security firms ESET and Cyphort continue to analyze the malware families believed to have been developed by a French intelligence agency. The latest threat uncovered by experts has been dubbed “Casper.” In March 2014, the French publication LeMonde published some slides from Canada's Communications Security Establishment (CSE) describing “Operation Snowglobe,” a campaign discovered by the agency in 2009. Additional slides were made available by the German publication Der Spiegel in January 2015. The presentation revealed details on a piece of malware named Babar, which appeared to be the work of a French intelligence agency. Based on the information from the slides, researchers first uncovered a piece of spyware, dubbed “EvilBunny,” which they believe is linked to Operation Snowglobe. Last month, G DATA and Cyphort published the details of a threat which they believe is Babar, the malware described in the CSE slides. Now, they have come across Casper, which also appears to have been developed by the same authors. Casper and the links to other cartoon malware families The new threat has been dubbed Casper because its dropper implant is a file named Casper_DLL.dll. The name could stem from the animated cartoon series “Casper the Friendly Ghost.” According to ESET and Cyphort, Casper appears to be a reconnaissance tool designed to harvest information on the infected system, including OS version and system architecture, default Web browser, running processes, installed applications, apps that run on startup, and country and organization details. Researchers have determined that Casper uses an interesting technique to evade detection by security solutions. The espionage tool checks to see which antivirus is running on the infected system. A different strategy, which defines how the malware behaves, is available for four different antiviruses. If no antivirus is found, or if there is no specific strategy for the installed security software, a default strategy is applied. Experts discovered several similarities between Casper, Babar, EvilBunny and NBOT, a threat that also seems to be linked to the cartoon malware families. The list of similarities includes enumeration of installed security solutions through Windows Management Instrumentation (WMI), a hashing algorithm used for hiding calls to API functions, unhandled exception filters, payload deployment through remote thread injection, embedded and encrypted configuration in XML format, and proxy bypass code. Casper attacks in Syria Unlike Babar and EvilBunny, Casper appears to be a newer family that has been used in attacks as recently as April 2014. An operation involving the threat was spotted by Kaspersky in mid-April 2014. At the time, researchers noticed that jpic.gov.sy, a complaint website set up in 2011 by the Syrian Ministry of Justice, had been leveraged in a watering hole attack that involved an Adobe Flash Player zero-day exploit (CVE-2014-0515). Kaspersky researchers could not identify the payload that had been served, but ESET, Cyphort, G DATA and the Computer Incident Response Center in Luxembourg (CIRCL) determined recently that it was likely Casper. “According to our telemetry data, all the people targeted during this operation were located in Syria. These targets may have been the visitors of the jpic.gov.sy website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website,” ESET researcher Joan Calvet noted in a blog post. “But we were actually unable to determine if this were indeed the case. In other words, it is just as likely that the targets have been redirected to the exploits from another location, for example from a hacked legitimate website or from a link in an email. What is known for sure is that the exploits, the Casper binaries and the C&C component were all hosted on this website’s server,” Calvet added. Attribution and motivation One possibility is that the attackers used the Syrian server for storage. They might have wanted to be able to access the data from within Syria, or they might have wanted to throw off investigators and make them believe the Syrian government was behind the attack. Cyphort researcher Marion Marschalek noted that while the source code base suggests that the same authors are behind Casper, EvilBunny, Babar and NBOT, it doesn’t necessarily mean that all of the attacks involving these malware families were carried out by the same actor. “Taking into account that the geographical area targeted by Casper is of high political interest for many parties and that the malware’s intention is clearly the preparation of a more targeted attack we expect the nature of the attack to be of political rather than criminal intent,” Marschalek said in a blog post. “The considerably high amount of resources spent on development and distribution of the malware support this theory. Development of targeted malware with a level of sophistication shown by Casper requires a skilled team of developers; also the use of 0-day exploits in the distribution process leaves the conclusion the operators were very well funded,” Marschalek added. In the case of Casper, ESET noted that there is no evidence linking the malware to French intelligence. The theory that a French intelligence agency is behind the cartoon malware families is mainly supported by evidence presented by CSE for Babar. The presumption that the French government is involved is based on the list of targets, the countries where the attack infrastructure was hosted, the fact that “Babar the Elephant” is a fictional character from a French children’s book, a nickname used by one of the malware developers (titi), and some language and regional settings. Other cartoon malware families Kaspersky has also been monitoring this advanced threat actor, which it has dubbed “Animal Farm.” According to the security firm, the group uses a total of six major malware families. In addition to Casper, Bunny, Babar and NBOT, Kaspersky has observed Dino, a full-featured espionage platform, and Tafacalou (also known as TFC and Transporter), a validator-style Trojan. Kaspersky has also identified a link to France. Experts believe the name Tafacalou, which is used internally by the threat actor, could stem from "Ta Fa Calou," which means "so it's getting hot" in Occitan, a language spoken in southern France, Monaco, and some parts of Spain and Italy. *Updated with information from Kaspersky on the Animal Farm APT Sursa: securityweek.com
G DATA SecurityLabs a investigat o mostra spyware care inregistreaza si transfera intrari de pe tastatura, date clipboard, date de monitorizare si conversatii audio, confirmand astfel dezvaluirile lui Snowden referitoare la o tulpina spyware de provenienta franceza, informatii documentate de catre serviciul de informatii canadian CSEC (Communication Security Establishment Canada). Ziarul francez Le Monde a fost primul care a semnalat existenta acestor documente cu aproape un an in urma. Expertii G Data au publicat detaliile tehnice pentru prima data, in urma analizei malware-ului Babar, care a fost realizata in tandem cu alte agentii de cercetare de securitate internationale. Analistii nu au putut stabili daca aceste servere de control malware au fost in mod deliberat puse in functiune sau au fost compromise. In opinia expertilor, dezvoltarea unui astfel de program necesita investitii substantiale de personal si infrastructura. Nivelul de complexitate al malware-ului sugereaza ca ar proveni de la un serviciu secret. Serviciul de informatii canadian considera ca responsabile de malw“Babar este un program spyware foarte sofisticat care putea fi produs doar de programatori foarte bine pregatiti”, explica Eddy Willems, Security Evangelist G DATA Software AG. ” Babar este proiectat a? functioneze in mod special in retelele companiilor, autoritatilor, organizatiilor si institutelor de cercetare, de unde sustrage date sensibile. Ca rezultat, conversatii audio, cum ar fi cele de pe Skype, de exemplu, pot fi inregistrate. Chiar si un atac directionat asupra utilizatorilor individuali pare posibil. O distributie in masa a unui astfel de malware este, totusi, foarte putin probabil, spune Willems. Istoricul documentelor CSEC In martie 2014, cotidianul francez Le Monde primeste un raport referitor la documentele serviciului de informatii canadian CSEC (Communication Security Establishment Canada), datat din 2011, care a iesit la lumina in timpul dezvaluirilor lui Edward Snowden. Revista germana de stiri, Der Spiegel, a preluat subiectul in ianuarie 2015 si a publicat un continut suplimentar al acestor documente – Operatiunea Snowglobe. Ce este Babar? Babar este un instrument de administrare la distanta (RAT), a carui functie principala este de a spiona date. Potrivit serviciului de informatii canadian, in urma analizei malware-ului EvilBunny din decembrie 2014, Babar a fost si numele de cod al unei operatiuni a unui serviciu secret national numit Snowglobe. Acest lucru arata ca Babar ar putea fi a doua tulpina malware identificata a fi fost conectata la campania spyware Snowglobe. Numele de “Babar” vine de la o serie de carti frantuzesti pentru copii, al carei erou este un elefant. Din cauza similitudinilor dintre ele, expertii in securitate de la G Data sunt convinsi ca cele doua tulpini provin de la aceeasi dezvoltatorii. Informatii tehnice detaliate pot fi gasite pe blogul G Data: https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html -> Sursa <-