Cyphort Labs found a cyber-espionage tool of the kind a nation state would be behind which invades Windows desktop machines and aims at extracting almost anything of value: it steals data from instant messengers, softphones, browsers and office applications.
Dubbed ‘Babar64’ the malware is believed to have been written by French intelligence.
It is a natty bit of code. It logs keystrokes, taking screenshots, steams audio from softphone applications, nicks clipboard data and can steal the names of desktop windows.
The malware creates an invisible window, with no other purpose than to receive window messages. By processing the window message queue it filters out input events and dispatches them to a raw input device object. Said object is configured to grab keyboard events through GetRawInputData.
Babar has two hard coded C&C server addresses included in its configuration data — http://www.horizons-tourisme.com/_vti_bin/_vti_msc/bb/index.php and http://www.gezelimmi.com/wp-includes/misc/bb/index.php
The domain horizons-tourisme.com is a legitimate website, operated by an Algerian travel agency, located in Algiers. The website is in French and still online today. Gezelimmi.com is a Turkish domain, currently responding with an HTTP error message 403, access not permitted. Both domains appear to be of legitimate use, but compromised and abused to host Babar’s server side infrastructure.