Third malware connected to CSEC Snowden leaks now comes with modular structure
The analysis showed that Casper was delivered as payload by a dropper which infected computers after the exploit of an Adobe Flash zero-day exploit (CVE-2014-0515). One website identified as both, the source of the exploit code and as C&C server for Casper, is a website registered by the Syrian Ministry of Justice in 2011: hxxp://jpic.gov.sy
This legitimate website is a portal for Syrian citizens “to complain about law and order violations. We be lieve the attack was designed to target Syrian dissidents complaining about the government”, Kaspersky’s Vyacheslav Zakorzhevsky revealed in April 2014. “We believe the attack was designed to target Syrian dissidents complaining about the government”, he further concludes.
Zakorzhevsky reported about the attacks via the Syrian website dating from mid-April 2014 and Calvet found out that “the configuration file starts with a timestamp, which corresponds to Monday, the 7th April 2014 at 21:27:05 GMT”. However, the programmers tried to mislead analysts by forging the compilation time stamp to June 18th 2010.
Babar already had code implemented to check for installed and registered AV products. But Casper now takes it a step further. Depending on the AV product identified on the machine, it initiates different strategies and behaves differently to avoid detection by the AV products.
After being successfully installed on a system, Casper regularly connects to its C&C server (in this case the same website that has caused the exploits to happen). Two possible commands it can receive from this server are <EXEC> and <SYSTEM>. Both hint at the capability to download further code to the infected machine which then performs the actual attacks.
Belonging to the group of EvilBunny and Babar, it would not be surprising if Casper would be fed with plug-ins capable of cyber espionage. But in the current situation we can only speculate about the downloaded features, as the C&C was not available during the time of the analysis.
The name was assigned to this malware, because “Casper_DLL.dll” is the name of the core library in one of the samples analyzed. Both core programs were very similar but packaged differently.