Security researchers at ESET in Bratislava, Slovakia have published an analysis of another apparently state-sponsored cyber-espionage tool used to target computers in Iran—and potentially elsewhere. The malware, also recently mentioned by Kaspersky researchers, was named "Dino" by its developers and has been described as a "full featured espionage platform." And this advanced persistent threat malware, according to researchers, might as well come with a "fabriqué en France" stamp on it.

Based on analysis of Dino's code from a sample that infected systems in Iran in 2013, "We believe this malicious software has been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and Babar malware," ESET's Joan Calvet wrote in a blog post today. The Casper malware was part of a large-scale attack on Syrian computers last fall. "Dino contains interesting technical features, and also a few hints that the developers are French speaking," Calvet noted.

Other members of the "Animal Farm" malware family have been attributed to French intelligence agencies by researchers—including a 2011 analysis by Canada's Communications Security Establishment revealed by documents leaked by former National Security Agency contractor Edward Snowden. Dino shares attributes with the other members of the "Animal Farm" malware family and improves on many of the techniques of "Babar," the previous generation intelligence-gathering software implant.

Napoleonic code

Dino's role is to exfiltrate data—package it and ship it back through a command and control network infrastructure to the malware's masters. Calvet described Dino as "an elaborate backdoor built in modular fashion." It uses its own task-scheduling code similar to cron in Unix and a custom, encrypted in-memory file system called "ramFS" by its developers—a characteristic shared with other "Animal Farm" malware. The ramFS file system acts as a "protected container" for Dino's executable files, allowing the malware to self-destruct and leave few traces in disk storage of the system that was infected.

To keep Dino persistent between shutdowns and restarts of a targeted system, Dino uses on-disk encrypted file storing modules and data stores in a serialized format. When the malware restarts after a system reboot or remote reset, a module in the malware called PSM decrypts the storage file and loads its contents back into the ramFS memory. "Funnily enough," Calvet wrote, "the key serving to encrypt the file on disk is 'PsmIsANiceM0du1eWith0SugarInside.'"

The ESET researchers cataloged the commands that could be remotely executed through Dino and found that most of them were focused on searching through files and performing covert file transfers. The "search" command can perform very specific gathering tasks, Calvet noted. "For example, it can provide all files with a '.doc' extension, the size of which is bigger than 10 kilobytes, and that were modified in the last 3 days," Calvet wrote. The search command packs all the files it finds into an archive, which is in turn scheduled for upload to the command and control servers.

The output returned from Dino's "sysinfo" command bears a striking resemblance to the data format used by "beacon" malware discovered by the Canadian Communications Security Establishment's analysts—data that led the CSE to discover the Babar malware. It sends back information on the infected system and its owner, as well as the version number for the malware itself. Additional signs of Dino's connection to a French organization include resources in the compiled binary that bear the hexadecimal language code value of 1036—the code for "French (France)."

Also, Dino's code is statically linked to the GNU Multiple Precision Arithmetic Library (GnuMP); the GnuMP code in Dino included path references to C libraries from the developer's computer, which include a directory called "arithmetique" (French for arithmetic). And while the error logging code of Dino is in English, it does not appear to be the English of a native speaker.

ESET researchers would not definitively say that they believe French intelligence is behind Dino, but they did strongly connect Dino to the other malware already attributed to the Animal Farm group.

Target du jour

Dino was detected on multiple systems in Iran in 2013, according to Calvet. That is consistent with the focus of its predecessor, Babar, which was on Iran's science and technology community, according to CSE analysts. But the Animal Farm group has also used malware to spy on a broad range of targets in Europe, Africa, and North America—including a possible infiltration of a French-language media company in Canada.

According to Kaspersky, Dino is distributed by a malware package called Tafacalou. The vast majority of Tafacalou victims have been in Syria, Iran, and Malaysia—with the US and China trailing far behind.

Other members of the Animal Farm malware family have been detected as far back as 2010, and researchers at Kaspersky believe the group behind Animal Farm has been active since at least 2009, "and there are signs that earlier malware was developed as far back as 2007," a member of Kaspersky's Global Research and Threat Analysis Team wrote in a March blog post.

Humanitarian organizations, activists, and businesses have been targeted, as well as government organizations and military contractors—indicating that economic espionage and national security issues are on the menu. For example, Babar was used to target the European Financial Association and targets in Greece, Norway, and Spain.

While Dino and its cohorts don't offer direct evidence of cyber-espionage by a specific French intelligence organization, they do suggest that France's government is attempting to play on the same stage as the NSA and its "Five Eyes" counterparts in the United Kingdom, Australia, Canada, and New Zealand.