The internal project name of the analyzed malware is ‘Babar64’, which rings a bell when thinking back of documents leaked through Der Spiegel back in January ( There, a slide deck originating from Communications Security Establishment Canada (CSEC) describes an alleged nation state malware named Babar. The samples at hand fit well with what is described in the CSEC document; and, as CSEC states they are suspected to originate from French intelligence.

As it is with binary attribution, these allegations are impossible to prove without the shadow of a doubt. What we can say with certainty though is that Babar strikes the analyst with sophistication not typically seen in common malware. Furthermore, the binaries come with the same handwriting as the malware dubbed ‘Bunny’ which we have blogged about before (/evilbunny-malware-instrumented-lua/). We assume the same author is behind both families.


MD5                9fff114f15b86896d8d4978c0ad2813d
SHA-1             27a0a98053f3eed82a51cdefbdfec7bb948e1f36
File Size          693.4 KB (710075 bytes)



MD5                4525141d9e6e7b5a7f4e8c3db3f0c24c
SHA-1             efbe18eb8a66e4b6289a5c53f22254f76e3a29bd
File Size          585.4 KB (599438 bytes)



A target machine is infected possibly through a drive-by or malicious e-mail attachments. Babar is deployed through a malware dropper, which installs the malware.

Babar essentially is an implant, a malicious Windows DLL. Babar’s implant is a 32-bit DLL written in C++, which upon start injects itself to running processes and invades desktop applications by applying a global Windows hook. The original filename of the sample at hand is ‘perf585.dll’. The implant is capable of logging keystrokes, capturing screen shots, eavesdropping on installed softphones and spying on instant messengers in addition to a list of simpler espionage tricks. Babar is a full blown espionage tool, built to excessively spy on the activity on an infected machine’s user.

The DLL dropped by Babar is placed into the application data folder, along with a directory named ‘MSI’ where the runtime data will be stored. Babar operates through multiple instances, by injecting its DLL to a maximum of three desktop processes. This is achieved by loading the Babar DLL to remote processes through a mapped memory object.



Apart from that, Babar comes with a userland rootkit component which applies global Windows hooks to invade all processes on its desktop. This way Babar can install API hooks for various APIs via Windows Detours technique to actively steal data from arbitrary processes.

The spying activities are performed either through the Babar instance locally or through processes invaded via hooking. Instance-local capabilities are basic spying on window names or snooping on the clipboard data, while the global hooks manage to steal information directly from Windows API calls.

A summary of the capabilities would be as follows:

  • Logging keystrokes
  • Taking screenshots
  • Capture of audio streams from softphone applications
  • Stealing of clipboard data
  • System and user default language, keyboard layout
  • Names of desktop windows

The keylogger module is based on Windows RAWINPUT. The malware creates an invisible window, with no other purpose than to receive window messages. By processing the window message queue it filters out input events and dispatches them to a raw input device object. Said object is configured to grab keyboard events through GetRawInputData.



The interest of Babar’s process hooking module is focused on the following applications, parted in the categories internet communication, file processing and media:

  • Internet communication
  • File processing
    exe, winword.exe, powerpnt.exe, visio.exe, acrord32.exe, notepad.exe, wordpad.exe.txt
  • Media
    skype.exe, msnmsgr.exe, oovoo.exe, nimbuzz.exe, googletalk.exe, yahoomessenger.exe, x-lite.exe

The malicious implant can steal input coming from the keyboard, information on which files are edited, it can intercept chat messages and record calls established by one of the listed softphones. The stolen information is encrypted and dumped to a file on disk, which will be located in the working directory under %APPDATA%\MSI.


The analyzed sample of Babar has two hard coded C&C server addresses which are included in its configuration data:


The domain is a legitimate website, operated by an Algerian travel agency, located in Algiers, Algeria. The website is in French and still online today. is a Turkish domain, currently responding with an HTTP error message 403, access not permitted. Both domains appear to be of legitimate use, but compromised and abused to host Babar’s server side infrastructure.