‘Babar’ and ‘EvilBunny’: new research on malware that plagued middle east suggests French origin
Wed 18 Feb 2015
New research will be revealed today regarding the “fully blown espionage tool” Babar, details of which were revealed by Edward Snowden and initially investigated [French language] a year ago by Canada’s Communications Security Establishment (CSEC), which determined that the data-stealing malware was likely to be a product of the French government.
Researcher Paul Rascagneres of German digital security company GData investigated Babar at the same time as Cyphort researcher Marion Marschalek, and today both reveal [French language] further details about the “highly targeted” malware, which can log keystrokes, monitor an infected user’s web history, intercept and record communications made via Skype and other messenger programs and pass data and instructions back and forth between a network of command-and-control servers ranged between Canada and Iran.
The Babar derivative, which was aimed at highly-targeted and specific subjects in the middle east, seems to be a more sophisticated version of the ‘EvilBunny’ family of malware, discussed in detail by Marschalek last year at Hack.lu Conference 2014 in Luxembourg, and in a subsequent PDF.
The use of the name Babar – an elephant character in a popular French series of French children’s books – with its underlying joke about ‘big ears’, is not the only indication that France’s espionage agency – the Direction Générale de la Sécurité Extérieure (DGSE) – seems to be the likely source of the infection; Edward Snowden’s original slides demonstrate technical guidance aimed specifically at French technicians, whilst much of the rest of the documentation relating to Babar indicates French origin. Marschalek describes the Babar initiative as a “targeted espionage campaign”, and notes that the family of programs involved “give the impression of having been developed by a team of talented developers, rather than being the work of a virus writer working in the criminal world,”
GData’s Rascagneres does concede that “Babar is not the same level of complexity as some state programs, such as Regin,” going on to explain that “Its design and code are much more basic. However, this spy program accomplishes its task perfectly, namely that of espionage against infected users,”
Both Babar and the EvilBunny virus are “derived from the same developers”, according to the GData report, and “belong to the operation ‘Snowglobe’,” [German language]. The primary function of Babar is to steal documents. Rascagneres notes: “This information is then stored on attacker-controlled servers in Algeria, Egypt, Iran and Turkey, and from where I was able to recover them,”
The primary function of the variant of EvilBunny – which uses the Lua scripting language – that Marschalek reported on is not entirely known, but she comments: “The initial purpose of the malware seems to be sharing execution load among infected host machines. However, due to the lack of the original Lua scripts and the extensive functionality of the embedded Lua engine the original intentions of the attackers remain unknown.”
Though the C&C servers involved in EvilBunny and Babar are based in Oakville (Canada), Iran, France, Turkey and Egypt, the researchers do not rule out the possibility of the servers having become active through infection – a logical step to avoid attribution.