Cyberespionage arsenal could be tied to French intelligence agencies

Five additional Trojan programs are related to the Babar malware that Canada's government believes is the work of French intelligence

A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.

Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.

In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand -- collectively known as the Five Eyes intelligence alliance.

One of those documents, which was part of the files leaked to journalists by former NSA contractor Edward Snowden, was a presentation from the Communications Security Establishment Canada (CSEC) dated 2011 that described a foreign cyberespionage operation dubbed SNOWGLOBE.

CSEC, a Canadian government intelligence agency, named the Trojan program used in the operation SNOWBALL, but noted that its internal name was Babar, the name of a popular French children's book series and television show. It also noted other French connections including the user name of the malware's developer "titi," which the French diminutive for Thiery; the use of kilooctet (ko) instead of kilobyte (KB), which is typical of the French technical community; and the language option of the development computer being "fr_FR."

According to CSEC, Babar's victims also matched French intelligence priorities: Iranian science and technology research organizations, European financial associations, French-speaking media organizations and organizations in former French colonies like Algeria and the Ivory Coast.

"CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency," CSEC concluded in the presentation that was shared with the Five Eyes partners.

In February, researchers from security firm Cyphort identified and analyzed an information-stealing Trojan, whose internal project name was Babar64. The malware program was capable of logging key strokes, taking screen shots, capturing audio streams from Voice-over-IP applications, stealing clipboard data, and more.

The Cyphort researchers found similarities to an older malware program they had dubbed EvilBunny.

"We assume the same author is behind both families," they said in a blog post.

On Thursday, security researchers from antivirus firm ESET published a report about yet another Trojan program related to Babar and EvilBunny that they dubbed Casper. The program was distributed in April 2014 from a website operated by the Syrian Ministry of Justice using two Flash Player zero-day exploits -- exploits for previously unknown vulnerabilities.

"We are confident that the same group developed Bunny, Babar and Casper," the ESET researchers said in a blog post. Casper did not contain any clues that would point to a French origin, but the use of zero-day exploits indicates that it was created by a powerful organization, they said.

Finally on Friday, researchers from Kaspersky Lab completed the picture with three more malware programs called Dino, Nbot and Tafacalou that they believe were created by the same group as Bunny, Babar and Casper. The Kaspersky researchers have dubbed the group Animal Farm and believe it has been active since at least 2009.

Over the years the group targeted government organizations, military contractors, humanitarian aid organizations, private companies, activists, journalists and media organizations, the Kaspersky researchers said in a blog post.

Tafacalou is a first-stage Trojan that the attackers use to check if the infected computers belong to their intended targets before deploying the more potent Dino or Babar cyberespionage implants.

Kaspersky has seen Tafacalou infections in Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand and Ukraine.

While the researchers stop short of associating Animal Farm with any specific country or intelligence agency, they point out that Tafacalou might be a French variation for the phrase "so it's getting hot" in Occitan, a language spoken in Southern France, Monaco and some areas of Italy and Spain.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionCommunications Security EstablishmentsecurityesetExploits / vulnerabilitiesspywaremalwarekaspersky labCyphort

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?