In March 2015, researchers detected Babar for the first time, analysis led them into believing it was a product of the French intelligence. According to the experts, Babar malware was used by the General Directorate for External Security (DGSE) for surveillance and cyber espionage operations.
The General Directorate for External Security is the France‘s external intelligence agency, which is controlled by the French ministry of Defence, in charge of intelligence activities and national security.
Babar is a powerful spyware that is capable of eavesdropping on online conversations held via popular messaging platforms, including Skype, MSN and Yahoo messenger, as well as logging keystrokes and monitoring victim’s web activities. Babar was used to spy on several Iranian nuclear research institutes and universities, but it was used also to monitor activities of European financial institutions. The name Babar is reported in one of the documents leaked by NSA whistleblower Edward Snowden. The secret slides produced by the Canadian intelligence agency linked Babar to the French Government.
Babar was used by a cyber espionage group known as the Animal Farm that was first spotted in March 2014, when a French publication released a series of slides from Edward Snowden. The group targeted government organizations, military contractors, media companies, private firms, activists worldwide.
The arsenal of the Animal Farm includes Babar, EvilBunny, and Casper, but the list is long and NBot, Tafacalou (TFC / Transporter) and Dino are other malicious code used by the APT.
Back in 2015, Kaspersky found evidence of some Animal Farm malware being developed as far back as 2007, but the security firm did not share any details.
Experts at PaloAlto Networks now announced they have found a strain of Babar, also known as Snowball, dated back 2007, it is the older one considering that samples of this malware had dated back to 2011.
“Previous samples of SNOWBALL date back to 2011. However, Palo Alto Networks Unit 42 has identified a much older version. This version of the malware dates back to 2007 according to its compilation time stamp which we believe is valid.” reads the analysis shared by PaloAlto Networks.
“Analysing historical malware samples helps us learn about its set of features and technical capabilities. This helps us compare a tool used by one adversary to that used by similarly adversaries at that time.”
Researchers discovered a loader with a compilation timestamp of 11/09/2007 11:37:36 PM and a payload compiled just 10 seconds later. Experts believe both timestamps are genuine.
Experts noticed that when the spyware is not able to gather information on the default Web browser if it is Chrome because Google released it in 2008.
The experts discovered that the Babar sample had abused the official website of the Permanent Council of Accounting of the Democratic Republic of the Congo (cpcc-rdc.org) for command and control (C&C) communications.
“As can be seen, a third-party website was compromised as C2 server to host a script named outbase.php. The domain (cpcc-rdc.org) is the official site of Permanent Council of Accounting of the Democratic Republic of the Congo. The script is not online anymore as the attack was most likely carried many years ago.” continues the analysis.
Experts also found a design flaw that resulted in configuration data that should have been encrypted to be accessible in clear text, which is surprising considering that the malware was developed by a sophisticated actor.
Code and structure analysis suggests that the Casper malware used by Animal Farm is based on this version of Babar.
Palo Alto Networks states Babar is not complex compared with other nation-state malware, such as Regin or Careto.
“Technically, it is not outstanding and can be considered only average compared to alleged state sponsored malware written at that time (e.g. Careto or Regin). The code and structure is similar to the Casper implant which is most likely based on this implant. The malware contains an obvious design flaw leaving the main part of the configuration data visible in clear text.” concluded Palo Alto Networks.
(Security Affairs – Babar malware, Casper)