A while ago a bunny crossed my way. I mean... a binary, which literally named itself bunny. Bunny is a beautiful piece of software, orchestrating a massive thread model with the goal of feeding downloaded Lua scripts to an integrated Lua engine. The scripts are then supposed to call back into the C++ code through C/Invoke Lua bindings to change the malware behaviour runtime.
A number of binaries with equal handwriting were identified, among them a sample which strikes the analyst with surprising sophistication. The shining star of this menagerie is a DLL implant aiming at, well, all the things. This binary is a fancy espionage tool, which keeps track of all data it can get its tentacles on. The implant clings onto running processes by injecting its payload into other applications. Once settled, the implant will create screen captures and intercept keystrokes. If applicable, the malware can also tap the microphone and record sound to steal data from installed softphones.
This implant's dropper is a bloated binary, linked to debug information for a project named 'Babar64'. Babar is a French cartoon character, an elephant. Now who, if not the French, would call a piece of malware Babar? Ça a l'air louche. But oh, mon Dieu, I'm not blaming the French. That was actually Canadian Communications Security Establishment (CSEC) calling on France in a leaked government document published earlier this year. Besides the CSEC allegations, malware of the same strain has even popped up in Syria. The newest representatives are dubbed 'Casper', the (questionably) friendly ghost.
The focus of this talk will be a deep insight to the technical finesse of the espionage toolset and an outline of the implementation details as well as an investigation of the binary handwriting which made it possible to relate the identified cartoons. The talk will close with a glimpse of victimology, providing educated guesses on the motivations behind the cartoon attacks.