Thursday, 2 July 2015

Dino: New Espionage Trojan from Animal Farm

ESET offers the first analysis of the latest cyber-espionage threat from the group responsible for Babar and Bunny.

ESET has today published an in-depth research article entitled ‘Dino - the latest spying malware from an allegedly French espionage group analysed’. ESET research found further evidence to suggest that this technically complex backdoor Trojan used for espionage purposes was coded by French speakers.

Created by the notorious Animal Farm espionage group - the team behind the sophisticated malicious attacks Casper, Bunny and Babar. “Dino is basically an elaborate backdoor Trojan, built in a modular fashion,” explains Joan Calvet, ESET Malware Researcher who analysed the malware. “Among several technical innovations, there is a custom file system used to execute commands in a stealthy fashion as well as a complex task-scheduling module that works in a similar way to the ‘cron‘ Unix command.”

ESET research also lists the commands accepted by the Dino binary, alongside the names chosen by the malware’s developers. The ‘search‘ command proved to be particularly interesting as it allows the operators to look for files with meticulous precision. For example, the malware operator can search infected systems by specifying file types, size of files and a date range when it was last modified.

Calvet also discovered two additional indicators to suggest that Animal Farm developers are French speakers: “The wording in the verbose error messages raised our suspicions,” said Calvet. “That, along with language code values set by the compiler provided further evidence that the malware’s developers are indeed French speakers. Of course, it is possible we are being deliberately mislead, but I suspect that the Animal Farm team forgot the adjust the language code values in Dino.”

For more information see ESET’s in-depth analysis on Dino Backdoor Trojan see our blog ‘Dino - the latest spying malware from an allegedly French espionage group analysed’