Security researchers have discovered a new state-sponsored targeted attack campaign with links to the French Babar spyware which was used last year against Syrian targets.
Casper is a “well-developed reconnaissance tool” with several features designed specifically to remain hidden on victim machines and outsmart anti-virus products, according to Eset analyst Joan Calvet.
She claimed in a blog post on Thursday that the firm was able to study two Flash zero-day exploits targeting the CVE-2014-0515 vulnerability which were found on a Syrian Justice Ministry website.
These payloads were “very likely” developed by the people behind Babar and two other pieces of related French malware dubbed Bunny and NBOT, she said.
Eset knows this because they all share several features, including the fact that they hide calls to API functions “by using a hash calculated from the functions’ names, rather than the names themselves.”
The different pieces of malware also retrieve information about the AV running on a targeted machine through the same WMI request, and compute the SHA-256 hash of the first word of the anti-virus name, Calvet claimed.
“Casper generates delimiters for its HTTP requests by filling a specific format string with the results of calls to the GetTickCount API function. The same code is present in some NBOT samples,” she added.
“None of these signs alone is enough to establish a strong link but all the shared features together make us assess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same organization.”
All those targeted by Casper were located in Syria, but Eset couldn’t determine if they’d been redirected from a legitimate page of the same compromised government website – jpic.gov.sy – or from another source, such as a malicious email link or hacked third party site.
Calvet added:
“This leads us to a second hypothesis: the ‘jpic.gov.sy’ website could have been hacked to serve as a storage area. This would have at least two advantages for the attackers: firstly, hosting the files on a Syrian server can make them more easily accessible from Syria, a country whose internet connection to the outside world has been unstable since the beginning of the civil war… Secondly, it would mislead attribution efforts by raising suspicion against the Syrian government.”
There was, however, no evidence in Casper itself “to point a finger at a specific country,” although it is clear that its authors belonged to a “powerful organization,” Calvet concluded.
Uncovered last month after being mentioned in documents leaked by Edward Snowden, Babar is thought to be the work of France's Direction Générale de la Sécurité Extérieure.