Full Report
In this post, we lift the veil on Casper - another piece of software that we believe to have been created by the same organization that is behind Babar and Bunny.
Analysis Summary
# Threat Actor: Developers of Babar, Bunny, and Casper Malware
## Attribution & Identity
The threat actor group is responsible for developing and deploying the distinct but related espionage tools: Babar, Bunny, and Casper. The CSEC allegedly associates the Babar development with France, though the article notes no evidence of French origin was found in the Casper binaries themselves. This group is described as powerful due to its use of zero-day exploits and long history in espionage activities (indicated by Babar analysis dating back to 2009).
* **Known Aliases/Malware:** Babar, Bunny, Casper
* **Associated Groups:** Implied nation-state actor, possibly connected to French intelligence based on CSEC speculation regarding Babar.
## Activity Summary
The group has been active since at least 2009 (based on CSEC analysis of Babar).
* **Babar:** Developed and deployed for espionage purposes, mentioned in CSEC slides (leaked 2014/2015).
* **Bunny:** A malware sharing significant characteristics with Babar.
* **Casper:** The most recently publicly known malware (observed in April 2014). Casper was used specifically against Syrian targets utilizing zero-day Adobe Flash exploits. The exploits and malware components were hosted on a compromised Syrian government website (`jpic.gov.sy`).
## Tactics, Techniques & Procedures
The group employs high-end espionage techniques, including the use of zero-day vulnerabilities for initial access and sophisticated evasion techniques.
* **Initial Access:** Used zero-day exploits in Adobe Flash (specifically CVE-2014-0515) delivered via a watering hole attack hosted on a compromised governmental website.
* **Stealth & Evasion:** Casper is described as a "well-developed reconnaissance tool, making extensive efforts to remain unseen." It implements specific strategies designed to evade antimalware software by checking the configuration file based on the detected AV product name (retrieved via WMI query: `SELECT * FROM AntiVirusProduct`).
* **Payload Delivery:** Delivery involved both an executable dropper (`domcommon.exe`) and a DLL payload (`Casper_DLL.dll`) deployed directly into memory.
* **Configuration:** Maintained configuration files encrypted with the RC4 algorithm, protected by a runtime checksum verification of the decryption key in memory.
* **Persistence:** The executable dropper attempts to establish persistence on the compromised machine.
* **MITRE ATT&CK IDs (Inferred):** Initial access via Exploit Public-Facing Application (T1190), Evasion (T1027, T1012 - Anti-evasion techniques).
## Targeting
The targeting appears focused and politically motivated.
* **Sectors:** Not explicitly named, but the espionage nature suggests government or sensitive organizations.
* **Geography:** Targeting noted specifically against **Syria** (via Casper deployment in April 2014). Overall geographic targeting is unknown but potentially broader given the history of Babar.
* **Victims:** People/entities within Syria were targeted by Casper.
## Tools & Infrastructure
The group deploys sophisticated, trademarked malware.
* **Malware Families used:** Babar, Bunny, Casper (core program observed as `Casper_DLL.dll`), Dropper (`domcommon.exe`), Payload (`aiomgr.exe`). Detected components were sometimes flagged as Win32/ProxyBot.B/A.
* **Infrastructure (C2, domains, IPs):** Command and Control (C2) components and malware exploits were hosted on the Syrian governmental website: `hXXp://jpic.gov.sy/css/images/_cgi/index.php` (defanged IP/URL).
* **Internal Artifacts:** Mutex name: `{4216567A-4512-9825-7745F856}`; Temporary file name: `perfaudio.dat`.
## Implications
This actor group represents a highly capable, well-resourced threat likely tied to intelligence operations ("espionage business"). Their ability to reliably develop and deploy zero-day exploits against widely used software (Adobe Flash) signifies a high-level threat capable of breaching sophisticated environments. The willingness to host payloads on compromised sovereign websites suggests an attempt to obscure attribution or exploit local network access patterns.
## Mitigations
Defense should focus on blocking known IOCs and implementing strong behavioral analysis to detect advanced evasion.
* Monitor for and block connections to the identified C2 infrastructure (though this specific URL may be dead or changed).
* Implement robust WMI monitoring to detect unauthorized queries for running processes or installed software names, especially those related to security products.
* Ensure immediate patching for zero-day vulnerabilities (CVE-2014-0515 and others affecting Flash).
* Use application control and whitelisting where possible, given the use of fileless or in-memory deployment strategies by the DLL variant.
* Hunt for known file names (`domcommon.exe`, `aiomgr.exe`) and mutexes associated with this actor family.