Cyberespionage arsenal could be tied to French intelligence agencies

Five additional Trojan programs are related to the Babar malware that Canada's government believes is the work of French intelligence

A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.

Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.

In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand -- collectively known as the Five Eyes intelligence alliance.

One of those documents, which was part of the files leaked to journalists by former NSA contractor Edward Snowden, was a presentation from the Communications Security Establishment Canada (CSEC) dated 2011 that described a foreign cyberespionage operation dubbed SNOWGLOBE.

CSEC, a Canadian government intelligence agency, named the Trojan program used in the operation SNOWBALL, but noted that its internal name was Babar, the name of a popular French children's book series and television show. It also noted other French connections including the user name of the malware's developer "titi," which the French diminutive for Thiery; the use of kilooctet (ko) instead of kilobyte (KB), which is typical of the French technical community; and the language option of the development computer being "fr_FR."

According to CSEC, Babar's victims also matched French intelligence priorities: Iranian science and technology research organizations, European financial associations, French-speaking media organizations and organizations in former French colonies like Algeria and the Ivory Coast.

"CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency," CSEC concluded in the presentation that was shared with the Five Eyes partners.

In February, researchers from security firm Cyphort identified and analyzed an information-stealing Trojan, whose internal project name was Babar64. The malware program was capable of logging key strokes, taking screen shots, capturing audio streams from Voice-over-IP applications, stealing clipboard data, and more.

The Cyphort researchers found similarities to an older malware program they had dubbed EvilBunny.

"We assume the same author is behind both families," they said in a blog post.

On Thursday, security researchers from antivirus firm ESET published a report about yet another Trojan program related to Babar and EvilBunny that they dubbed Casper. The program was distributed in April 2014 from a website operated by the Syrian Ministry of Justice using two Flash Player zero-day exploits -- exploits for previously unknown vulnerabilities.

"We are confident that the same group developed Bunny, Babar and Casper," the ESET researchers said in a blog post. Casper did not contain any clues that would point to a French origin, but the use of zero-day exploits indicates that it was created by a powerful organization, they said.

Finally on Friday, researchers from Kaspersky Lab completed the picture with three more malware programs called Dino, Nbot and Tafacalou that they believe were created by the same group as Bunny, Babar and Casper. The Kaspersky researchers have dubbed the group Animal Farm and believe it has been active since at least 2009.

Over the years the group targeted government organizations, military contractors, humanitarian aid organizations, private companies, activists, journalists and media organizations, the Kaspersky researchers said in a blog post.

Tafacalou is a first-stage Trojan that the attackers use to check if the infected computers belong to their intended targets before deploying the more potent Dino or Babar cyberespionage implants.

Kaspersky has seen Tafacalou infections in Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand and Ukraine.

While the researchers stop short of associating Animal Farm with any specific country or intelligence agency, they point out that Tafacalou might be a French variation for the phrase "so it's getting hot" in Occitan, a language spoken in Southern France, Monaco and some areas of Italy and Spain.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionCommunications Security EstablishmentsecurityesetExploits / vulnerabilitiesspywaremalwarekaspersky labCyphort

More about KasperskyNational Security AgencyNSASpiegel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place