Totally Spies! presented at HackLu 2015

by Paul Rascagneres, Joan Calvet, Marion Marschalek,

Summary : In March 2014 a set of slides were leaked from the Communications Security Establishment Canada (CSEC), outlining operation SNOWGLOBE which involves a mysterious malware dubbed Babar that has been spotted spying on Canadian institutions as well as attacking institutions in Iran and other targets in the middle east. CSEC attributed the attacks “with moderate certainty” to a French intelligence agency. The group behind Babar is now commonly referred to as “AnimalFarm” in antimalware industry, suggesting Babar was only a small piece of a much bigger puzzle. Since CSEC slides’ publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following SNOWGLOBE’s trail. Along its path, this group found several pieces of AnimalFarm’s arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. The newest heavy-weight actor on the list of miscreants is Dino, the espionage dinosaur.
This presentation aims to provide a global picture on SNOWGLOBE’s operations and also delve into technical quirks of their malware. An assessment of the connection between their various piece of software will be given from a reverse engineer’s perspective, and what technical hints regarding attribution can be found.