French-speakers behind Dino spyware say researchers

Dino, described as a technically complex backdoor Trojan used for espionage purposes, was originally coded by French speakers, according to a blog by ESET. 

The company believes that Dino was created by the Animal Farm espionage group which developed Babar, Bunny and Casper, due to the fact that it shares very specific parts of its code.

Animal Farm is the name of a group of attackers first described by Canada's Communications Security Establishment (CSE) in a set of slides leaked by Edward Snowden in March 2014. In those slides CSE assesses with “moderate certainty” that this group is a French intelligence agency. ESET's blog says, "The amount of shared code between Dino and known Animal Farm malware leaves very little doubt that Dino belongs to Animal Farm's arsenal."

As ESET acknowledges, attribution is rarely 100 percent in malware as it is always possible to conduct elaborate spoofing, however the indications that Dino has French-speaking origins include the fact that it is the language of the computer that was used to create Dino and this is written in the program. 

Dino's binary contains a resource whose language code value is 1036; when a developer does not manually specify the language code, the compiler sets it to the language of the developer's machine, and 1036, or 0x40c in hexadecimal, corresponds to French. 

Usually malware developers remove this pointer, and later versions did change it to US English, whereas it would be presumed a spoofer would have continued with the original version.

Secondly, the developers left a directory named "arithmetique" visible in the program which contains part of Dino source code on the developer computer.

ESET believes that Dino is only deployed for major targets, following reconnaissance using less sophisticated malware such as Casper, hence few samples have been found, making investigation of Dino more complicated.

The sample of Dino documented in the blog post was used in 2013 against targets in Iran, installed by another program, with an uninstallation command without the corresponding installation procedure. Given the set of commands it can receive, Dino's main goal seems to be the exfiltration of files from its targets. The binary's original name, “Dino.exe”, has been left visible by its authors.

In an email to the press, Joan Calvet, the Canadian-based ESET malware researcher who analysed Dino, said that it is “basically an elaborate backdoor Trojan, built in a modular fashion". 

He added: "Among several technical innovations, there is a custom file system used to execute commands in a stealthy fashion as well as a complex task-scheduling module that works in a similar way to the ‘cron‘ Unix command.”

ESET research also lists the commands accepted by the Dino binary, alongside the names chosen by the malware's developers. The ‘search‘ command reportedly proved to be particularly interesting as it allows the operators to look for files with what is describes as ‘meticulous precision.' For example, the malware operator can search infected systems by specifying file types, size of files and a date range when it was last modified, eg it can provide all files with a “.doc” extension, the size of which is bigger than 10 kilobytes, and that were modified in the last three days.

Calvet discovered other indicators suggesting Animal Farm's developers are French speakers. “The wording in the verbose error messages raised our suspicions. That, along with language code values set by the compiler, provided further evidence that the malware's developers are indeed French speakers. Of course, it is possible we are being deliberately misled, but I suspect that the Animal Farm team forgot to adjust the language code values in Dino.”

The findings are also discussed in a blog from ESET.