CASPER Surveillance Malware Linked to French Government

Status
Not open for further replies.

Rogue987

Level 3
Thread author
Verified
Jan 7, 2015
106
Last month, cyber security researchers spotted a new strain of french surveillance malware, dubbed "Babar," which revealed that even French Government and its spying agency the General Directorate for External Security (DGSE) is dedicatedly involved in conducting surveillance operation just like the United States — NSA and United Kingdom — GCHQ.

A powerful piece of surveillance malware, known as "Casper," has recently been discovered by the Canadian security researchers that once again point fingers at the French government.

CASPER SURVEILLANCE MALWARE LINKED TO FRANCE
The newly discovered sophisticated Casper surveillance malware is believed to be developed by France based hacking group suspected to have ties with the French government, according to the report published by Motherboard.

Report suggests that French hacking group have developed ‘Swiss Army knife of spying tools’ which has been used by French government to conduct multiple espionage campaigns over the last few years.

WHAT IS CASPER ?
Casper is a ‘recognition tool’, designed to profile its targets and determine whether the victim is of interest for further surveillance or not. Casper surveillance malware was used as an initial program before deploying any advance persistent malware into the targeted computers for espionage purpose.

In April 2014, Casper surveillance malware was especially hosted on a hacked Syrian Government‘s Ministry of Justice website to infect its targets by exploiting two Flash Player zero-day vulnerabilities that were not known publicly at that time.

Syrian Ministry of Justice website which was set up in 2011 by the government for citizens to send complaints to the Bashar al-Assad regime. Casper malware was hosted in a folder on the website and users who accessed that folder were infected by the surveillance malware.

These kind of zero-day exploits, in some way, open doors for hackers to collect information from the target computers and cost Millions of Dollars in exploit market. It is believed that Casper surveillance malware is created by experts with significant financial resources i.e. State-sponsored.

BABAR, CASPER — SAME MALWARE FAMILY — SAME FATHER
After analyzing the code fragments of a Casper malware, researchers found numerous similarities between Casper surveillance malware and the Babar.

Babar, is an advance malware developed in 2009, capable of eavesdropping on online conversations which held via Skype, MSN and Yahoo messenger, and records and transfers keystrokes, clipboard data, and monitors which websites an infected user has visited.

Babar was used against Iranian nuclear research institutes and universities, and European financial institutions. It was previously mentioned in a slideshow leaked by NSA whistleblower Edward Snowden, where it was linked to French Government by the Canadian intelligence agency.

Casper, on other hand, is the mature version of the Babar and is literally a ghost spy program. Once infected, Casper surveillance malware gather all the "intelligence information" about the target computer and sends them back to the control center without ever revealing its presence.

If a victim was found interesting and worthy of further hacking, Casper surveillance malware enabled the hackers to deploy additional malware, such as Babar, through a built-in platform for plugins.
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Casper Binary Analysis
The two samples we found are the same core program but differently packaged. The first sample is an executable dropping the core program and making it persistent on the machine. The second is a Windows library that deploys the core program directly into memory, also in the form of a library. In this latter case, the name of the core program library was left visible by its creators: “Casper_DLL.dll”.

Throughout this blog, we will focus on the first of these two payloads, the second one being similar in terms of behavior.

Dropper
The dropper is named “domcommon.exe” and its compilation date is set to the June 18th, 2010. This is very likely a forged date, as we will explain later.

Its execution is based on an XML configuration file decrypted at runtime with the RC4 algorithm and a hardcoded 16-byte key. Before the decryption, the program uses a checksum computation to make sure the memory area containing the decryption key has not been modified. Figure 1 shows the dropper’s decrypted configuration file.


Figure 1 – Casper Dropper Configuration File

Casper Playing Chess against Antivirus
Firstly, the dropper extracts the <STRATEGY> tag from its configuration file. This tag defines precisely how the malware should behave, depending on which antivirus is present on the machine.

Choosing the appropriate strategy
First, the dropper retrieves the name of any antivirus that may be running on the machine by executing the Windows Management Instrumentation (WMI) request “SELECT * FROM AntiVirusProduct” and fetching the “displayName” field from the result. If an <AV> tag exists in the configuration file with a “NAME” attribute matching the name of an installed antivirus product, it will be set as the execution strategy. In this case, four antivirus products have a defined strategy.

If no strategy is found for the running antivirus, or if no antivirus is protecting the computer, the default strategy described in the <STRATEGY> tag’s attributes will be applied. Alternatively, if a file named “strategy.xml” is present in the dropper’s folder, it will override the strategy from the configuration file.

Possible Moves
A strategy is a set of attributes that influences both the dropper and the payload execution. Some of these attributes define how to realize certain actions, whereas the others define whether to perform certain actions. The following array describes the various “moves” offered by these attributes.

Casper Malware  After Babar and Bunny  Another Espionage Cartoon.png


For example, process injection will only happen on machines with none of the four defined antiviruses running, since in such a case the “INJECTION” attribute will be set to “NO”. Interestingly, three antiviruses have the “ESCAPE” attribute set to “YES”, which means the dropper will simply uninstall itself in their presence without deploying Casper’s payload.

As the list of <AV> tags is pretty short, we can speculate that these are the antiviruses Casper’s authors expect to find on their targets. For the record, the “VERSION” attribute present in one <AV>tag is actually never used in the code, but it still indicates the intention to distinguish different versions of the same antivirus product. We very rarely see this level of precision employed in malware in order to bypass antivirus.

Time To Drop The Payload
In the event that the “ESCAPE” attribute is set to “NO” in the chosen strategy – as is the case with the default strategy – the dropper will then execute the commands provided in the form of XML tags in the configuration file, as shown in Figure 2.


Figure 2 – Casper Dropper’s Commands

Uninstalling previous versions
The first command instructs the dropper to remove other Casper instances that could possibly be running on the system. The corresponding <UNINSTALL> tag comes with a “name” attribute, which will be prefixed with the BIOS constructor name retrieved from the Windows registry (Intel, NEC…) before being used as an identifier. This prefixing is likely meant to avoid drawing the user’s attention if he or she happened to notice the identifier.

The program is uninstalled in two steps, each step addressing different methods of persistence employed by Casper:

  • If it exists, the scheduled task whose name matches the identifier is removed from the system
  • If it exists, the application registered with the identifier in the Windows registry is removed from the system
Payload installation
The payload installation is then directed by the <INSTALL> tag, which provides two versions of the payload, one for 32-bit machines (<x86>) and another one for 64-bit machines (<x64>).

The attributes of the <INSTALL> tag will then be used by one of the two installation methods previously mentioned. If the operating system is Windows 7 or newer, persistence will be set through a scheduled task; otherwise it will be set through the Windows registry key

“HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.

The <INSTALL> tag provides an argument to give to the payload. The exact value of the argument is critical to the “correct” execution of the payload. The actual verification in the payload is subtle: the argument is used in a custom algorithm to find library functions in memory. Unless the value is correct, the addresses of these library functions will be wrong, resulting in a random-looking crash of the payload.

Dropper cleans itself
Before terminating its execution, the dropper removes itself from the system, using the method defined in the AUTODEL attribute. It should be noted that the payload is not launched at this moment: it will be run only at the next startup thanks to the previous persistence method.

Payload
Similarly to the dropper, Casper payload’s execution is based on an XML configuration file decrypted at run-time, and shown in Figure 3.


Figure 3 – Casper’s Payload Configuration File

This configuration file starts with a timestamp, which corresponds to Monday, the 7th April 2014 at 21:27:05 GMT. Therefore, the compilation timestamps – set to 2010 – have very likely been forged.

A series of <PARAM> tags will then control the payload’s behavior, as described in the following array.

Capture.PNG


The code handling the configuration shows certain capabilities not exploited in these Casper samples, for example a TIMETOLIVE attribute to plan the termination of Casper after a certain amount of time, or a DELAYED_START attribute to wait before interacting with the system.

Finally, the payload’s configuration contains the exact same <STRATEGY> as the dropper.

Report to C&C
During its first execution, Casper’s payload executes the following XML file:

<COMMAND name=’SYSINFO’/>

The handler of the “SYSINFO” command retrieves information about the system and builds a report containing several sections, as shown in Figure 4.


Figure 4 – SYSINFO Command’s Result

The titles of the report sections are self-explanatory. Interestingly, the version of the malware is clearly mentioned: 4.4.1. This report is then base64-encoded and sent to the C&C server in the body of an HTTP POST request. It will also be written into a temporary file named “perfaudio.dat”.

The network request will also have a cookie named “PREF” filled with the concatenation of the machine UID, the configuration ID, the version of Casper and the hardcoded character “R”, all base64-encoded.

C&C’s possible answers
Due to the C&C being down at the time of the investigation we can only speculate on the rest of the execution based on Casper’s known capabilities.

At this point, the binary regularly contacts the C&C server with a cookie similar to the one in theSYSINFO request, but this time with “G” as the hardcoded character instead of “R”. Our analysis of the binary reveals that the server can then send back a PNG image – with the correct header and format for a PNG file — from which a XML command file will be decrypted and executed.

In addition to the “SYSINFO” command, Casper can handle <COMMAND> tags with the following values:

  • “EXEC” to execute a program on the machine from its local path
  • “SYSTEM” to execute commands in a Windows command prompt
Finally, Casper can also handle <PLUGIN> tags, whose content is a Windows executable to deploy on the machine.

How Does Casper Relate to the Other Cartoons?
Our best chance of establishing that the same developers are behind Bunny, Babar and Casper is to identify unusual code or algorithms shared between these various programs. In our comparison we also take into account the so-called “NBOT” malware (also known as the “TFC” malware), whose link with Babar and Bunny was established by Marion Marschalek in her Babar report. Here is anon-exhaustive list of such shared features we observed:

  • Casper hides its calls to API functions by using a hash calculated from the functions’ names, rather than the names themselves. The hashing algorithm is a combination of rotate-left (ROL) of 7 bits and exclusive-or (XOR) operations. NBOT uses the exact same algorithm for the same purpose, whereas Babar hides its API calls in a similar manner but with a different algorithm.
  • Casper fetches information about the running antivirus in a way similar to Bunny, Babar, and NBOT, namely through the same WMI request. Moreover, all these malwares compute the SHA-256 hash of the first word of the antivirus name, although in Casper it is actually never used.
  • Casper generates delimiters for its HTTP requests by filling a specific format string with the results of calls to the GetTickCount API function. The same code is present in some NBOT samples, as shown in the following array.

Extract of Casper’s code


Extract of NBOT’s code

  • Casper removes its dropper by executing a Windows command created from the following format string:
cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST “%hs” (DEL “%hs” & SYSTEMINFO) ELSE EXIT
In some NBOT samples we can find the following similar syntax:

cmd.exe /C FOR /L %%i IN (1,1,%d) DO IF EXIST “%s” (DEL “%s” & PING 127.0.0.1 -n 3) ELSE EXIT
  • Casper uses an “ID” value set to “13001”, whereas Babar samples contain an ID of “12075-01”. Also, the malware discovered in 2009 by the CSEC possesses an ID of “08184” (slide 8 of the CSEC slides). This similar format, and the increasing value in decimal, could indicate a familial link.
None of these signs alone is enough to establish a strong link but all the shared features together make us assess with high confidence that Bunny, Babar, NBOT and Casper were all developed by the same organization.

Victimology
According to our telemetry data, all the people targeted during this operation were located in Syria. These targets may have been the visitors of the “jpic.gov.sy” website — Syrian citizens who want to file a complaint. In this case they could have been redirected to the exploits from a legitimate page of this website.

But we were actually unable to determine if this were indeed the case. In other words, it is just as likely that the targets have been redirected to the exploits from another location, for example from a hacked legitimate website or from a link in an email. What is known for sure is that the exploits, the Casper binaries and the C&C component were all hosted on this website’s server.

This leads us to a second hypothesis: the “jpic.gov.sy” website could have been hacked to serve as a storage area. This would have at least two advantages for the attackers: firstly, hosting the files on a Syrian server can make them more easily accessible from Syria, a country whose Internet connection to the outside world has been unstable since the beginning of the civil war, as shown inGoogle Transparency Report. Secondly, it would mislead attribution efforts by raising suspicion against the Syrian government.

Conclusion
As previously explained, we are confident that the same group developed Bunny, Babar and Casper. The detailed analysis of Babar in the CSEC slides from 2009 indicates this group is not a newcomer to the espionage business. The use of zero-day exploits is another indication that Casper’s operators belong to a powerful organization. Finally, the narrow targeting of people in Syria shows a likely interest in geopolitics.

Nevertheless, we did not find any evidence in Casper itself to point a finger at a specific country. In particular, no signs of French origin, as suggested by CSEC for Babar, were found in the binaries.

Capture1.PNG
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top