Last month, Canadian researchers spoke of the likely involvement of French intelligence services in the design and deployment of two malware: Babar and its variant EvilBunny. Today, another software is the subject of a specific study: Casper.
Casper was spotted last April on jpic.gov.sy, the website of the Syrian Ministry of Justice from which citizens were brought to seek compensation for the destruction caused by the civil war in the country. country.
Enset researcher Joan Calvet set out to analyze the malware and discovered a little more about how it works. Casper is a DLL file that is characterized by the use of two zero-day vulnerabilities in Flash (CVE-2014-0515), and an analysis of the code quickly revealed obvious similarities with Babar and EvilBunny.
According to the expert, the three software would thus come from the same organization, which automatically points to a secret French agency. We can thus assume that the DGSE has a set of malware in action in networks around the world.
Casper is not, however, a massive data collection tool like those of the NSA. It acts as a scout by installing itself on the targeted machine and by sending information on the servers to its owner: antivirus, firewall, settings, system information, processes used, configuration … The goal then being to prepare an attack tailor-made to take advantage of vulnerabilities and obtain the desired information.
Its name is also not chosen at random since the software is a real ghost: in order not to trigger the security protocols of the systems, it analyzes in priority which antivirus solution is installed. If a solution capable of detecting it is in place, it self-destructs, if not, it installs in the registry.
Unable to say if Syria was spied on by software, security experts say platform could only serve as a relay to coordinate other attacks while masking identity agency that actually controls the action.