Security and Malware family Cybersecurity Essay

Submitted By Memphis100
Words: 535
Pages: 3

Casper Malware Brownbag

Ake Tyler – STIC - FedEx Services

1

Click icon to add picture

.

In March 2014, French newspaper Le Monde revealed that
France is suspected by the Communications Security
Establishment Canada (CSEC) of having developed and deployed malicious software for espionage purposes

2

What is Casper?
• Casper surveillance malware was used as an initial program

• Casper malware was hosted in a folder on the website and users who accessed that folder were infected by the surveillance malware. CyberSecurity 2014

3

How Casper works
• A first stage implant that is delivered to the desired target.

• The malware is then hosted in a folder on the website’s server, and users who accessed that folder were then infected.

• After obtaining information the attackers could determine whether the victim was interesting and worthy of further hacking.

CyberSecurity 2014

4

Babar malware
• A few months ago cyber security researchers detected a new French malware named Babar.

• Babar malware was used by the General
Directorate for External Security (DGSE) for surveillance and cyber espionage operations. • Casper was discovered by Canadian malware researchers that linked it to the
French General Directorate for External
Security.
CyberSecurity 2014

5

Babar and Casper have the same root
• Malware specialists have discovered several similarities between Casper and Babar.

• The experts sustain that Casper was
“likely” developed by the same group behind Babar, and were both connected by documents leaked by Edward Snowden.

• They refer to the hacking group as the
“Animal Farm” because of each malware’s animal-like and cartoon-inspired names.
CyberSecurity 2014

6

Similarities of the Malwares
• Proxy bypass code.
• Enumeration of installed anti-virus solutions through WMI.

• Embedded and encrypted configuration in
XML format.

• Partial API name hashing, Casper sharing the algorithm with Nbot and Bunny.

• Payload deployment by remote thread injection through mapping of section objects. • Using unhandled exception filters, calling
Exit Process in case of exception.
CyberSecurity 2014

7

How Does Casper Relate to the Other Cartoons?

• Casper hides its calls to API functions
• Casper fetches information about the running antivirus

• Casper generates delimiters for its HTTP

8

Members of the cartoon malware family

CyberSecurity 2014

9

Same