Totally Spies!: A Tour in Espionage Cartoons

Presented at REcon 2015, June 19, 2015, 10 a.m. (60 minutes)

For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency. The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle. Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding attribution.

Presenters:

• Paul Rascagnères
• Marion Marschalek
• Joan Calvet

Links:

• https://recon.cx/2015/schedule/events/35.html
• https://infocon.org/cons/REcon/REcon 2015/REcon 2015 videos/joan-calvet-marion-marschalek-paul-rascagneres-Totally-Spies.mp4

Similar Presentations:

• VB2019 / Buhtrap metamorphosis: from cybercrime to cyber espionage (partner presentation)
• VB2018 / The Big Bang Theory by APT-C-23
• VB2015 / The elephant in the room