Security and Malware family Cybersecurity Essay

Submitted By Memphis100
Words: 535
Pages: 3

Casper Malware Brownbag

Ake Tyler – STIC - FedEx Services


Click icon to add picture


In March 2014, French newspaper Le Monde revealed that
France is suspected by the Communications Security
Establishment Canada (CSEC) of having developed and deployed malicious software for espionage purposes


What is Casper?
• Casper surveillance malware was used as an initial program

• Casper malware was hosted in a folder on the website and users who accessed that folder were infected by the surveillance malware. CyberSecurity 2014


How Casper works
• A first stage implant that is delivered to the desired target.

• The malware is then hosted in a folder on the website’s server, and users who accessed that folder were then infected.

• After obtaining information the attackers could determine whether the victim was interesting and worthy of further hacking.

CyberSecurity 2014


Babar malware
• A few months ago cyber security researchers detected a new French malware named Babar.

• Babar malware was used by the General
Directorate for External Security (DGSE) for surveillance and cyber espionage operations. • Casper was discovered by Canadian malware researchers that linked it to the
French General Directorate for External
CyberSecurity 2014


Babar and Casper have the same root
• Malware specialists have discovered several similarities between Casper and Babar.

• The experts sustain that Casper was
“likely” developed by the same group behind Babar, and were both connected by documents leaked by Edward Snowden.

• They refer to the hacking group as the
“Animal Farm” because of each malware’s animal-like and cartoon-inspired names.
CyberSecurity 2014


Similarities of the Malwares
• Proxy bypass code.
• Enumeration of installed anti-virus solutions through WMI.

• Embedded and encrypted configuration in
XML format.

• Partial API name hashing, Casper sharing the algorithm with Nbot and Bunny.

• Payload deployment by remote thread injection through mapping of section objects. • Using unhandled exception filters, calling
Exit Process in case of exception.
CyberSecurity 2014


How Does Casper Relate to the Other Cartoons?

• Casper hides its calls to API functions
• Casper fetches information about the running antivirus

• Casper generates delimiters for its HTTP


Members of the cartoon malware family

CyberSecurity 2014