Spyware unearthed in Snowden leaks becomes ever more potent.
More details of French cyberespionage capabilities are seeping into the public sphere, following reports of a cyber-weapon operating in Syria that may have been backed by French intelligence.
Casper, which follows the Babar virus which disclosed in documents leaked by NSA whistleblower Edward Snowden, is a snooping tool used to track victims in Syria from as early as April last year, making use of a unpatched "zero day" Flash flaw to carry out mischief.
Marion Marschalek, malware analyst at security firm Cyphort, which helped uncover the malware, said: "We assume with high confidence that Casper is operated by the same actors as Babar, Bunny and Nbot.
"It is noteworthy though, that although binaries stem from the same source code base, thus most likely from the same authors, this does not prove that the same actor is responsible for all performed attacks involving these families."
Documents retrieved by Snowden from the Communications Security Establishment Canada (CSEC) attributed Babar to French spies, raising the possibility Casper is also their work.
Victims in Syria were said to be targeted by the virus through the country’s Ministry of Justice website, which was compromised so that its visitors would be exposed to the spyware.
"This website was created by the Syrian government to allow Syrian citizens to send in complaints. It is still up, but it has been cleaned," said Joan Calvet, malware researcher at security vendor ESET, which collaborated with Cyphort to investigate the virus.
"Moreover, the Casper controller itself was also hosted on this website, and there were plugins deployed which are executed on the machine."
In addition to holding many of the snooping capabilities of its predecessors Casper appears to have evolved antivirus evasion capabilities, adapting its strategy depending on which antivirus software it detects is running on a system.
Such complexity has led the researchers to conclude that the malware is likely sponsored by a country with political interests at stake.
"Taking into account that the geographical area targeted by Casper is of high political interest for many parties and that the malware’s intention is clearly the preparation of a more targeted attack we expect the nature of the attack to be of political rather than criminal intent," Marschalek said.
"Development of targeted malware with a level of sophistication shown by Casper requires a skilled team of developers; Also the use of zero day exploits in the distribution process leaves the conclusion the operators were very well funded."