Researchers have uncovered another malware that used a hacked Syrian site to infect victims.
Image: Darron Birgenheier/Flickr
Two weeks ago, a group of cybersleuths revealed the best evidence yet that France is hacking and infecting surveillance targets—just like the NSA or the British spy agency GCHQ.
Now, researchers have discovered the existence of Casper, a stealthy tool designed to profile victims and flag persons of interest for further surveillance, according to a new report to be published on Thursday.
It is believed to be the work of a hacking group with suspected French government ties, and part of a Swiss Army knife of spying tools used to conduct multiple espionage campaigns over the last few years.
According to the report, which Motherboard reviewed in advance, Casper was hosted on a hacked Syrian government website in April of last year. The incident caught the attention of some security researchers because the attackers used two zero-day vulnerabilities to infect victims—unknown and unpatched software bugs that hackers can exploit.
Although there is no direct evidence implicating France, Casper was "likely" developed by the same group behind Babar, Bunny and another hacking tool called NBOT—previous tools with suggested ties to the French—according to the new report written by Joan Calvet, a malware researcher at anti-virus maker ESET.
Other security researchers agree that Casper, perhaps named after the famous cartoon "friendly ghost," was likely created by the French government and its spying agency the General Directorate for External Security (DGSE). They refer to the hacking group as the "Animal Farm" because of each malware's animal-like and cartoon-inspired names.
France's Defense Ministry did not respond to Motherboard's requests for comment.
"We have reasons to believe that French intelligence has been using—or is even still using—at least four different malware families."
"We have reasons to believe that French intelligence has been using—or is even still using—at least four different malware families," Marion Marschalek, another researcher who worked with Calvet and Paul Rascagneres in investigating the malware, told Motherboard.
While attribution is always a tricky business, "it all seems to point in the same direction," said Morgan Marquis-Boire, a former Google security researcher who's now director of security for First Look Media.
For example, there are numerous similarities between the different strains of malware linked to the Animal Farm group, which includes a malware platform called Babar that Canadian intelligence suggested was created by French spies.
Babar was designed to eavesdrop on online conversations conducted over Skype, MSN Messenger, and Yahoo Messenger; to log keystrokes; and to monitor Internet browsing. The malware has been used at least since 2009, according to researchers.
Based on links between the different malware and the Snowden slides, "the evidence suggests that [Casper] was written by the French government" too, Marquis-Boire said.
Here's What Casper Does
Casper is "a first stage implant that you deliver to victims to see who they are," said Costin Raiu, the director of the Global Research and Analysis Team at Kaspersky Labs. He has independently investigated Casper and the other malware in its family.
In April of 2014, Casper was hosted inside the website jpic.gov.sy, which was set up in 2011 by the Syrian government for citizens to send complaints to the Bashar al-Assad regime. It's unclear how the hackers compromised the site, but it was probably an easy target, given that a hacktivist apparently hacked it in 2013, and another group defaced it last year.
The malware was hosted in a folder on the website's server, and users who accessed that folder were then infected. However, it's unclear how Casper's victims were directed there in the first place. They could have clicked on a link in a spear phishing email, or been redirected from another website, Calvet said.
According to ESET's data, some of the victims were located in Syria, but it's also unclear who exactly Casper intended to target.
Either way, the use of zero-days on a hacked Syrian government website left researchers at the time scratching their heads. Zero-days are hard to find and they are the most precious—and effective—weapons for a hacker or government, since their existence is unknown. Calvet and ESET later obtained the malware payloads and determined that Casper was a "discreet" reconnaissance tool designed to profile its victims and send a detailed report back to the attackers.
With this report, the attackers could determine whether the victim was interesting and worthy of further hacking. If that was the case, Casper enabled the attackers to deploy additional malware, such as Babar, through a built-in platform for plugins, according to Calvet's report.
The Animal Farm
Casper is just the latest tool to be linked to the Animal Farm group, according to the researchers, which they believe has been active since at least 2009 or 2010.
Raiu said that Kaspersky has been tracking Animal Farm since 2013, and they have determined that the group has targeted governments, military contractors, human rights organizations, activists, and even journalists and media organizations through long and sophisticated cyberspying operations.
"When you have such a large-scale operation going on for several years using multiple zero-days without any kind of financial outcome," Raiu told Motherboard, "it's obvious that it's nation-state sponsored—it has to be."
"There are other members of the farm that we haven't discovered yet."
For Raiu and his colleagues, it's "pretty obvious" that Animal Farm is behind Casper—although Raiu too declined to explicitly point the finger at France.
They say that the group is from a French speaking country, based on some clues found in code from the various malware strains. And according to Calvet, Casper shares several features—such as how it detects which antivirus software is running on a victim's machine—with other strains such as Bunny and NBOT.
Raiu said that his team has also reached a similar conclusion, based on the fact that some Animal Farm malware shares the same code and command and control infrastructure. But there's still work left to do. Already, Kaspersky has detected early evidence of another operation by the same group—this time targeting victims in Morocco and Burkina Faso.
"There are other members of the farm that we haven't discovered yet," Raiu said.