Malware seemingly developed by French hackers as a cyber-weapon has been unearthed by the security vendor Cyphort.
Babar was previously mentioned in information leaked by NSA whistleblower Edward Snowden to the German magazine Der Spiegel, which showed the malware was discussed in a slideshow by the Communications Security Establishment Canada (CSEC), the country’s equivalent of GCHQ.
Marion Marschalek, malware analyst at Cyphort, said: "As it is with binary attribution, these allegations are impossible to prove without the shadow of a doubt.
"What we can say with certainty though is that Babar strikes the analyst with sophistication not typically seen in common malware."
Babar is said to infect machines through email attachments, invading other Windows applications once it has been installed on a computer.
Once installed the virus can log keystrokes, capture screenshots, eavesdrop on online phone calls and spy on instant messaging conversations, according to Marschalek.
"The binaries come with the same handwriting as the malware dubbed ‘Bunny’ which we have blogged about before," she added. "We assume the same author is behind both families."
Content from our partners
One command and control (C&C) server linked to by Babar also appeared to still be online, having been hidden behind the legitimate Algerian site Horizons Tourisme. The other was based in Turkey.
The malware was linked to France by CSEC due to the name, which appears to derive from a popular French cartoon, and technical indications that the software war written by French programmers.
Canadian cyber-spies noted that Babar "doesn’t fit [a] cybercrime profile", and added that its targets included the Atomic Energy Organisation of Iran, as well as former French colonies, French-speaking media and European finance.
