Ake Tyler – STIC - FedEx Services
Click icon to add picture
In March 2014, French newspaper Le Monde revealed that
France is suspected by the Communications Security
Establishment Canada (CSEC) of having developed and deployed malicious software for espionage purposes
What is Casper?
• Casper surveillance malware was used as an initial program
• Casper malware was hosted in a folder on the website and users who accessed that folder were infected by the surveillance malware. CyberSecurity 2014
How Casper works
• A first stage implant that is delivered to the desired target.
• The malware is then hosted in a folder on the website’s server, and users who accessed that folder were then infected.
• After obtaining information the attackers could determine whether the victim was interesting and worthy of further hacking.
• A few months ago cyber security researchers detected a new French malware named Babar.
• Babar malware was used by the General
Directorate for External Security (DGSE) for surveillance and cyber espionage operations. • Casper was discovered by Canadian malware researchers that linked it to the
French General Directorate for External
Babar and Casper have the same root
• Malware specialists have discovered several similarities between Casper and Babar.
• The experts sustain that Casper was
“likely” developed by the same group behind Babar, and were both connected by documents leaked by Edward Snowden.
• They refer to the hacking group as the
“Animal Farm” because of each malware’s animal-like and cartoon-inspired names.
Similarities of the Malwares
• Proxy bypass code.
• Enumeration of installed anti-virus solutions through WMI.
• Embedded and encrypted configuration in
• Partial API name hashing, Casper sharing the algorithm with Nbot and Bunny.
• Payload deployment by remote thread injection through mapping of section objects. • Using unhandled exception filters, calling
Exit Process in case of exception.
How Does Casper Relate to the Other Cartoons?
• Casper hides its calls to API functions
• Casper fetches information about the running antivirus
• Casper generates delimiters for its HTTP
Members of the cartoon malware family