ATK8

Presumed Origin: France < Back

Alias: Animal Farm, SNOWGLOBE

ATK8 (aka: Animal Farm, SNOWGLOBE) is a group of French origins known for its high quality malware. The group is active since at least 2009, and some of its malware have been associated with samples from as far as 2007. The group has been discovered in March 2014 after the publication of a series of slides from Edward Snowden. This group is probably supported by a state-nation, considering the fact that it uses advanced techniques but does not seem to be financially motivated. Another more precise indication makes it possible to link the group to France. For good reason, the name "Barbar" given to the group's spyware echoes a strictly French fictional character. Also, the backdoor called "Tafacalou" has a name whose meaning in Occitan French regional language is translated as:" it's gonna get hot"

While the group is not associated with any campaign in particular, the tool it uses have been in order to target various organizations, notably in Syria, Iran and Malaysia. More broadly, the group deploys its campaigns on a global scale with some twenty countries concerned.

The group mostly develops and use espionage tools, and the way the malware are deployed to their targets is mostly unknown, though some documents containing zero-day exploits have been used.

REFERENCES

Security Affairs, 2017: https://securityaffairs.co/wordpress/62811/malware/babar-2007-sample.html

Infosec Institute, 2015: https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/#gref

Security Affairs, 2015: http://securityaffairs.co/wordpress/34462/intelligence/babar-casper-french-intelligence.html

Security Affairs, 2015: http://securityaffairs.co/wordpress/38204/cyber-crime/dino-malware-animal-farm.html

ESET, 2015: https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/

ESET, 2015: https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/

Kaspersky, 2015: https://securelist.com/animals-in-the-apt-farm/69114/

Target sector

International Organizations
Media
Military

Target countries

Algeria
Austria
China
Congo, Democratic Republic Of The
Germany
Iran, Islamic Republic Of
Iraq
Israel
Malaysia
Morocco
Netherlands
New Zealand
Russian Federation
Sweden
Syrian Arab Republic
Turkey
Ukraine
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1001 - Data Obfuscation
T1002 - Data Compressed
T1008 - Fallback Channels
T1010 - Application Window Discovery
T1012 - Query Registry
T1020 - Automated Exfiltration
T1022 - Data Encrypted
T1027 - Obfuscated Files or Information
T1036 - Masquerading
T1041 - Exfiltration Over Command and Control Channel
T1043 - Commonly Used Port
T1050 - New Service
T1053 - Scheduled Task
T1055 - Process Injection
T1056 - Input Capture
T1057 - Process Discovery
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1064 - Scripting
T1071 - Standard Application Layer Protocol
T1074 - Data Staged
T1082 - System Information Discovery
T1093 - Process Hollowing
T1112 - Modify Registry
T1115 - Clipboard Data
T1119 - Automated Collection
T1123 - Audio Capture
T1125 - Video Capture
T1179 - Hooking
T1189 - Drive-by Compromise
T1203 - Exploitation for Client Execution
T1497 - Virtualization/Sandbox Evasion

Motivation

Espionage

Malwares

Babar
Casper
Dino
EvilBunny
Tafacalou

Vulnerabilities

CVE-2011-4369
CVE-2014-0515