Casper is considered to be EvilBunny’s and Babar’s successor, believed to be originating from the same group of programmers – possibly connected to a French intelligence agency. Two very interesting changes the malware has undergone: it now has a modular structure which allows the attackers to download and install attack plug-ins at will and its anti AV strategies improved. This blog post is supposed to give a brief overview about the main differences between Casper and the other two we wish to mention. A thorough analysis of the Casper can be read in Joan Calvet’s (ESET) blog post, published today. Calvet has worked together again with Marion Marschalek and Paul Rascagnères to dissect this newly discovered threat.
The analysis showed that Casper was delivered as payload by a dropper which infected computers after the exploit of an Adobe Flash zero-day exploit (CVE-2014-0515). One website identified as both, the source of the exploit code and as C&C server for Casper, is a website registered by the Syrian Ministry of Justice in 2011: hxxp://jpic.gov.sy
This legitimate website is a portal for Syrian citizens “to complain about law and order violations. We be lieve the attack was designed to target Syrian dissidents complaining about the government”, Kaspersky’s Vyacheslav Zakorzhevsky revealed in April 2014. “We believe the attack was designed to target Syrian dissidents complaining about the government”, he further concludes.
Zakorzhevsky reported about the attacks via the Syrian website dating from mid-April 2014 and Calvet found out that “the configuration file starts with a timestamp, which corresponds to Monday, the 7th April 2014 at 21:27:05 GMT”. However, the programmers tried to mislead analysts by forging the compilation time stamp to June 18th 2010.
Babar already had code implemented to check for installed and registered AV products. But Casper now takes it a step further. Depending on the AV product identified on the machine, it initiates different strategies and behaves differently to avoid detection by the AV products.
After being successfully installed on a system, Casper regularly connects to its C&C server (in this case the same website that has caused the exploits to happen). Two possible commands it can receive from this server are <EXEC> and <SYSTEM>. Both hint at the capability to download further code to the infected machine which then performs the actual attacks.
Belonging to the group of EvilBunny and Babar, it would not be surprising if Casper would be fed with plug-ins capable of cyber espionage. But in the current situation we can only speculate about the downloaded features, as the C&C was not available during the time of the analysis.
The name was assigned to this malware, because “Casper_DLL.dll” is the name of the core library in one of the samples analyzed. Both core programs were very similar but packaged differently.