Babar cyber espionage malware highlights increase in covert cyberattacks

February 24, 2015 Arctic Wolf Networks

Yet another sneaky piece of cyber espionage malware has been discovered by cybersecurity researchers, highlighting just how prevalent the practice has become.

Analysts from security firms Cyphort Labs and GDATA recently published reports on a strain of French-language malware known as Babar. The malicious software, named after a French cartoon elephant, was first brought to light in documents from Canada's secret intelligence agency, Communications Security Establishment Canada, that were leaked along with other documents released by Edward Snowden. The malware has since been tied to spying exercises that created a seemingly related remote access trojan known as EvilBunny.

Babar includes a long list of espionage features, including keylogging, the ability to take screenshots, clipboard logging and the possibility to log audio conversations held through Web chat services. Most concerning, it is capable of injecting code into running processes to steal files. Babar is able to infect machines through malicious email attachments, targeting Windows applications once it has been installed on a device.

More sophisticated than an average criminal malware
While the malware is used almost exclusively as a cyber espionage tool, it shares similarities with malicious software used for cybercrime, such as the ZeuS banking trojan and the Regin malware family. Babar's use of Tor to communicate and other features that help it remain undetected show that the malware is much more advanced than the average cybercrime tool.

"As it is with binary attribution, these allegations are impossible to prove without the shadow of a doubt," said Marion Marschalek, malware analyst with Cyphort. "What we can say with certainty though is that Babar strikes the analyst with sophistication not typically seen in common malware."

There are a variety of similarities between the newly discovered Babar malware and the cyber espionage tool written about in the leaked CSEC documents, which was allegedly employed by the French government to spy on other nations. The malware was mainly used to target Iranian science and technology organizations, but it was also leveraged against French-speaking media outlets, targets in former French colonies and the European Financial Association.

In order to protect networks from cyberthreats capable of evading ordinary defense methods, enterprises must start to employ enhanced detection services. A network monitoring and threat response solution allows organizations to detect any suspicious or anomalous behavior caused by malicious actors that may have made it past an organization's firewall. Event data is analyzed and used to create actionable defense information to protect enterprise systems, ensuring stronger defenses and better protected networks.

Cybersecurity news and analysis brought to you by ArcticWolf, inventors of firebreak detection and response security services.  FireBreak, when your firewall fails.

Previous Article
Uber data breach impacts 50,000 drivers

Last Friday, Uber released a statement announcing a singular unauthorized access of a company database on M...

Next Article
Hackers use malware to steal millions from banks around the world

Security researchers revealed this week that an unknown group of hackers has used sophisticated malware to ...


Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!