Eset researchers find Casper malware linked to French spy agency
Posted by: Timothy Weaver on 03/06/2015 10:42 AM
[
Comments
]
Security researchers have discovered a new state-sponsored targeted attack campaign, dubbed Casper, which has links to the French Babar spyware which was used last year against Syrian targets.
Eset was able to study two Flash zero-day exploits targeting the CVE-2014-0515 vulnerability which were found on a Syrian Justice Ministry website.
These payloads were “very likely” developed by the people behind Babar and two other pieces of related French malware dubbed Bunny and NBOT, she said.
All those targeted by Casper were located in Syria, but Eset couldn’t determine if they’d been redirected from a legitimate page of the same compromised government website – jpic.gov.sy – or from another source, such as a malicious email link or hacked third party site.
Calvet added:
“This leads us to a second hypothesis: the ‘jpic.gov.sy’ website could have been hacked to serve as a storage area. This would have at least two advantages for the attackers: firstly, hosting the files on a Syrian server can make them more easily accessible from Syria, a country whose internet connection to the outside world has been unstable since the beginning of the civil war… Secondly, it would mislead attribution efforts by raising suspicion against the Syrian government.”
Calvet concluded that there was no evidence in Casper itself “to point a finger at a specific country,” although it is clear that its authors belonged to a “powerful organization”.
Eset was able to study two Flash zero-day exploits targeting the CVE-2014-0515 vulnerability which were found on a Syrian Justice Ministry website.
These payloads were “very likely” developed by the people behind Babar and two other pieces of related French malware dubbed Bunny and NBOT, she said.
All those targeted by Casper were located in Syria, but Eset couldn’t determine if they’d been redirected from a legitimate page of the same compromised government website – jpic.gov.sy – or from another source, such as a malicious email link or hacked third party site.
Calvet added:
“This leads us to a second hypothesis: the ‘jpic.gov.sy’ website could have been hacked to serve as a storage area. This would have at least two advantages for the attackers: firstly, hosting the files on a Syrian server can make them more easily accessible from Syria, a country whose internet connection to the outside world has been unstable since the beginning of the civil war… Secondly, it would mislead attribution efforts by raising suspicion against the Syrian government.”
Calvet concluded that there was no evidence in Casper itself “to point a finger at a specific country,” although it is clear that its authors belonged to a “powerful organization”.
Comments
