Researchers analyze backdoor 'Dino' linked to Animal Farm spy group
ESET analysts believe the sophisticated backdoor is the work of French speaking developers.
Analysts believe that a sophisticated backdoor, called “Dino,” which has been linked to the Animal Farm cyberespionage group, is the handiwork of French speaking developers.
On Tuesday, ESET malware researcher Joan Calvet detailed the company's findings in a blog post analysis, noting that very little is actually known about Dino's victims “except that they were located in Iran in 2013.”
Back in March, Kaspersky Lab revealed that the Animal Farm spy group has been active since at least 2009 and has been observed exploiting zero-day vulnerabilities. In addition to Dino, Animal Farm has used other tools to compromise targets, including Bunny, NBot, Casper and Babar.
After further analyzing the backdoor Dino, ESET's Calvet wrote that the threat “can be described as an elaborate backdoor built in a modular fashion.”
“Among its technical innovations, there is a custom file system to execute commands in a stealthy fashion, and a complex task-scheduling module working in a similar way to the ‘cron' Unix command. Interestingly, the binary contains a lot of verbose error messages, allowing us to see Dino's developers' choice of wording. Also, a few technical artifacts suggest that Dino was authored by native French speakers,” Calvet said.
The researcher listed seven modules contained in the Dino binary, including modules for configuration storage, uploading and downloading files, command execution, and scheduling tasks. He also noted that Dino “heavily relies” on a custom data structure called “DataStore,” in which all of Dino's modules store their content. Calvet later added that the malware accepts a long list of commands, including ones to retrieve reconnaissance information from the infected machine, uninstall Dino using the custom file system, search for files whose names match given patterns, scheduling file transfers to the command-and-control server, and scheduling the malware to “wake-up” after a certain time period.
Calvet also shared indicators that Dino's developers are French speaking authors: one being that Dino's binary “contains a resource whose language code value is 1036,” which denotes the French language is in use; and the fact that French text was included in Dino's GnuMP code.
With regard to the language code value used, Calvet noted that a “non-French speaking developer could have deliberately set this value to mislead attribution efforts," but this didn't appear to be the case, here.
“...in more recent Animal Farm binaries (for example Casper), this language code has been set to the classical English (USA) language code. Therefore, it seems that Animal Farm developers forgot to set this value in their first creations, realized their mistake at some point, and decided to set a standard value. Someone using the language code as a false flag would have likely kept the strategy going,” he explained.
Overall, Calvet warned that Dino's binary “shows an intense development effort, from custom data structures to a homemade file system."
"As with other Animal Farm binaries, it bears the mark of professional and experienced developers," he wrote.