The Animal Farm, an espionage group believed to be part of a French intelligence agency, has added to its zoo of tools with Dino, a backdoor espionage Trojan that uses complex methods to execute commands in a stealthy fashion.
It also uses a task-schedule tool to complete its mission, and uniquely enables the attacker to search for files by specifying file types, size of files and date ranges.
ESET uncovered the malware, a sample that was used in 2013 against targets in Iran. The original means of infection is unknown, though ESET believes Dino was installed by another program, as it contains an uninstallation command without the corresponding installation procedure. Given the set of commands it can receive, Dino’s main goal seems to be the exfiltration of files from its targets, the firm noted.
As ESET explains, Animal Farm is the security industry’s name for a group of attackers first described by Canada’s Communications Security Establishment (CSE) in a set of slides leaked by Edward Snowden in March 2014. In those slides CSE assesses with “moderate certainty” that this group is a French intelligence agency. Since then, several examples of malware created by Animal Farm have been found and publicly documented, in particular:
- Casper, a stealthy first-stage implant
- Bunny, a Lua-based backdoor
- Babar, an espionage platform
“Roughly, Dino can be described as an elaborate backdoor built in a modular fashion,” said Joan Calvet, an ESET malware researcher, in the analysis. “Among its technical innovations, there is a custom file system to execute commands in a stealthy fashion, and a complex task-scheduling module working in a similar way to the ‘cron’ Unix command. Interestingly, the binary contains a lot of verbose error messages, allowing us to see Dino’s developers’ choice of wording. Also, a few technical artefacts suggest that Dino was authored by native French speakers.”
Dino also allows the operators to look for files very precisely. For example, it can provide all files with a “.doc” extension, the size of which is bigger than 10 kilobytes, and that were modified in the last 3 days. We believe this exfiltration of files to be Dino’s end goal.
“Dino’s binary shows an intense development effort, from custom data structures to a homemade file system,” said Calvert. “As with other Animal Farm binaries, it bears the mark of professional and experienced developers.”
The amount of shared code between Dino and known Animal Farm malware leaves very little doubt that Dino belongs to Animal Farm’s arsenal, Calvert added.
For instance, at the very beginning of Dino execution, the current process name is checked against process names used by some sandboxes. A very similar check is present in Bunny samples, and in some first-stage implants deployed by Animal Farm.
To hide its calls to certain API functions, Dino employs a classic Animal Farm ploy: a hash is calculated from the function’s name and used to look for the address of the API function. The actual hashing algorithm used in Dino is the same that was used in Casper.
Also, Dino’s custom file system is present in several droppers used by Animal Farm.