A collection of computer Trojans that have been used since 2009 to steal data from government agencies, military contractors, media organizations and other companies is tied to cyberespionage malware possibly created by French intelligence agencies.
Researchers from several antivirus companies have found links between the malware programs, which they call Babar, Bunny, Casper, Dino, NBot and Tafacalou. Some share the same command-and-control servers and some use the same implementations for Windows process listing, process blacklisting or export hashing.
In January, German news magazine Der Spiegel published several secret documents about the malware activities of the U.S. National Security Agency and its closest partners, the intelligence agencies of the U.K., Canada, Australia and New Zealand—collectively known as the Five Eyes intelligence alliance.
One of those documents, which was part of the files leaked to journalists by former NSA contractor Edward Snowden, was a presentation from the Communications Security Establishment Canada (CSEC) dated 2011 that described a foreign cyberespionage operation dubbed SNOWGLOBE.
CSEC, a Canadian government intelligence agency, named the Trojan program used in the operation SNOWBALL, but noted that its internal name was Babar, the name of a popular French children’s book series and television show. It also noted other French connections including the user name of the malware’s developer “titi,” which the French diminutive for Thiery; the use of kilooctet (ko) instead of kilobyte (KB), which is typical of the French technical community; and the language option of the development computer being “fr_FR.”
According to CSEC, Babar’s victims also matched French intelligence priorities: Iranian science and technology research organizations, European financial associations, French-speaking media organizations and organizations in former French colonies like Algeria and the Ivory Coast.
“CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [computer network operation] effort, put forth by a French intelligence agency,” CSEC concluded in the presentation that was shared with the Five Eyes partners.
In February, researchers from security firm Cyphort identified and analyzed an information-stealing Trojan, whose internal project name was Babar64. The malware program was capable of logging key strokes, taking screen shots, capturing audio streams from Voice-over-IP applications, stealing clipboard data, and more.
The Cyphort researchers found similarities to an older malware program they had dubbed EvilBunny.
“We assume the same author is behind both families,” they said in a blog post.
On Thursday, security researchers from antivirus firm ESET published a report about yet another Trojan program related to Babar and EvilBunny that they dubbed Casper. The program was distributed in April 2014 from a website operated by the Syrian Ministry of Justice using two Flash Player zero-day exploits—exploits for previously unknown vulnerabilities.
“We are confident that the same group developed Bunny, Babar and Casper,” the ESET researchers said in a blog post. Casper did not contain any clues that would point to a French origin, but the use of zero-day exploits indicates that it was created by a powerful organization, they said.
Finally on Friday, researchers from Kaspersky Lab completed the picture with three more malware programs called Dino, Nbot and Tafacalou that they believe were created by the same group as Bunny, Babar and Casper. The Kaspersky researchers have dubbed the group Animal Farm and believe it has been active since at least 2009.
Over the years the group targeted government organizations, military contractors, humanitarian aid organizations, private companies, activists, journalists and media organizations, the Kaspersky researchers said in a blog post.
Tafacalou is a first-stage Trojan that the attackers use to check if the infected computers belong to their intended targets before deploying the more potent Dino or Babar cyberespionage implants.
Kaspersky has seen Tafacalou infections in Syria, Iran, Malaysia, USA, China, Turkey, Netherlands, Germany, Great Britain, Russia, Sweden, Austria, Algeria, Israel, Iraq, Morocco, New Zealand and Ukraine.
While the researchers stop short of associating Animal Farm with any specific country or intelligence agency, they point out that Tafacalou might be a French variation for the phrase “so it’s getting hot” in Occitan, a language spoken in Southern France, Monaco and some areas of Italy and Spain.