Dino Malware that targeting Iran belong to Animal Farm’s arsenal

Researchers at ESET analyzed the Dino malware confirming that the sophisticated espionage platform belongs to the arsenal of the Animal Farm APT.

Security experts at ESET have analyzed Dino, a sophisticated platform used by the Animal Farm ATP group.

Earlier this year, security researchers discovered two powerful malware, dubbed Babar and Casper, likely developed by the France intelligence to run cyber espionage operation worldwide.

Babar malware was used by the General Directorate for External Security (DGSE) for surveillance and cyber espionage operations, Casper was discovered by Canadian malware researchers that also linked it to the French Intelligence.

Babar is a powerful spyware that is capable of eavesdropping on online conversations held via popular messaging platforms, including Skype, MSN and Yahoo messenger, as well as logging keystrokes and monitoring victim’s web activities. Babar was used to spy on several Iranian nuclear research institutes and universities, but it was used also to monitor activities of European financial institutions. The name Babar is reported in one of the documents leaked by Snowden, the secret slides produced by the Canadian intelligence agency linked Babar to the French Government.

Also the Casper malware was used by the hackers to compromise target systems, spy on them and drop other advanced persistent malware.

Now, a researcher has found and analyzed a new member of the so-called “Animal Farm” dubbed Dino which was detected for the first time in March 2014 when a French publication released Snowden’s slides describing a campaign dubbed “Operation Snowglobe.”

Several security firms, including ESET, Cyphort and G DATA, have analyzed in details the malware belonging the Animal Farm APT.

• Casper, a stealthy first-stage implant, documented by ESET in last March
• Bunny, a Lua-based backdoor, documented by Marion Marschalek (Cyphort)
• Babar, an espionage platform, also analyzed by Marion Marschalek

The connection between those pieces of malware and the group described in CSE slides has been convincingly established, for example by Paul Rascagnères (G Data).

The arsenal of the Animal Farm includes Babar, EvilBunny, and Casper, but the list is long and NBot, Tafacalou (TFC / Transporter) and Dino are other malicious code used by the APT.

ESET published a detailed analysis of the Dino malware, the ESET researcher Joan Calvet has detected a single sample of Dino in the wild that was used in an attempt to infect a target in Iran in 2013.

“Dino is so hard to find because the group behind the Animal Farm is really good at targeting people precisely, and we basically miss a lot of their samples,” Calvet told

Dino is a modular malware, a number of components allow it to carry out several tasks, the agent is able to execute commands sent by C2C servers and Windows batch commands.

The malware is also able to search for specific files, upload files to the command and control (C&C) server, and download further files from the control architecture. The experts noticed that Dino can also schedule commands to be executed at a specified time, it is also able to kill processes and uninstall the malicious code from the infected system by avoiding to leave traces of its presence.

Experts at Kaspersky explained that the Tafacalou malware is used by the Animal Farm APT to serve further sophisticated spyware like Babar and Dino.

The researchers discovered several similarities between the code of the Dino malware and other threats from the Animal Farm malware families. The experts highlighted that the developers of these malware families are French speakers.

“Dino’s binary contains a resource whose language code value is 1036. The original purpose of this language code is to allow developers to provide resources (menus, icons, version information…) for different locations in the world in the corresponding language. Interestingly, when a developer does not manually specify the language code, the compiler sets it to the language of the developer’s machine. So, which language corresponds to the value 1036, or 0x40c in hexadecimal? French (France).” states the report published by the ESET.

Another anomaly discovered by researchers is the presence in the file path of the word “arithmetique,” which is French for “arithmetic.”arithmetique,” which is French for “arithmetic.”

Experts at ESET explained that the Dino malware, differently for other codes used by the Animal Farm APT, doesn’t implement sophisticated anti-analysis techniques.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Dino Malware, Animal Farm)

[adrotate banner=”13″]