Dino - new state-sponsored spyware with french roots

The name Animal Farm was given to the cyber group, which was mentioned by the Canadian organization Communications Security Establishment (CSE) in a series of presentation slides .dedicated to a fugitive NSA employee Edward Snowden in March 2014. These slides indicate that the French intelligence agency is involved in this group. After that, antivirus companies detected several malicious programs that were created by this cybergroup.
These malware include:
- Casper, so-called a first-level implant that has been documented by ESET .
- Bunny, a backdoor written in the Lua language, was documented by the researcher Marion Marschalek (Cyphort).
- Babar, a cyber espionage malware, is also documented by Marion Marschalek.
The connection between these malicious programs and the involvement of Animal Farm has been convincingly proven by G DATA researcher Paul Rascagnères. Our study focuses on another malicious program behind this cybergroup. She is called Dino.
General information
The malware file we analyzed was used in 2013 in targeted cyber attacks against Iran. The original infection vector remained unknown, however, we believe that Dino was installed by another malicious program, since it contains procedures for removing itself from the system and does not contain a similar installation procedure. Considering the set of commands that Dino can receive, we believe that its main goal is to obtain files on the infected system and then send them to a remote server (exfiltration).
The name of the malware was left by the authors in its body, as was the case with the other Casper malware, which we mentioned above. Apparently, the name Dino was borrowed from one of the characters in the cartoon The Flintstones. This malware was mentioned in a study by the antivirus company Kaspersky Lab.
In general, we can say that Dino is a complex backdoor, built on a modular basis. Among the technical features, we can mention our own file system, which is used to execute commands in a secretive style, as well as a special integrated module that runs as a scheduled task (task-scheduling module) and works similarly to the cron commandon UNIX. The executable file contains many different informational error messages, which allows us to conclude that the developers of the malware were people with very good knowledge of the French language.
Malware structure The malware
was written in C ++ and uses a modular architecture. The following list of malware modules was extracted from the Dino executable. The names of the modules were given by the developers themselves.

Dino uses in its work a special data structure called “DataStore”. In particular, all modules of a malicious program store their data inside this structure, so understanding the format and content of this structure is the key to understanding how malware works in general.
The DataStore structure is an associative container (map), which stores associations (correspondences) between string keys and values of 8 different data types. The implementation of this data structure is based on a hash table. This means that in order to get the value that is associated with the key, you need to calculate the hash of this key to find the container element from which the value will be extracted.
The hash is a value of one byte, which is calculated using a series of XOR operations on the key. Each value of a container element is the head of a linked list that contains key / value pairs. The following is a snippet of malware code that is responsible for retrieving the value associated with a key.

The DataStore structure can also be stored as a simple contiguous array in memory that begins with a special DxSx signature. This storage format is used by the PSM to store the contents of the Dino modules in an encrypted file. When the PSM needs to save this structure from memory to a file on disk, it saves it in this format. After restarting the malicious program, its code performs the operation of converting this data into the structure of an associative container. The key used to encrypt the file with the structure data on the disk corresponds to the line “PsmIsANiceM0du1eWith0SugarInside”.
As we mentioned above, initially Dino configuration data is stored as a simple array (so-called serialized DataStore object) of data that is stored in the archive and is located at the end of the executable file of the malicious program. During its execution, this data is converted into an associative container and stored in memory inside the CORE module. We were able to get a list of the contents of the configuration data using the “conf –l CORE” command, which will be described later. Below is this retrieved configuration information.

The purpose of some keys is clear by their name, however, some need a more detailed explanation.
- “RecID”: Animal Farm cybergroup uses this field in the structure to identify the victim. In the case of the Dino sample considered by us, this field contained the value “11173-01-PRS”. Another malware that was used by this group, Casper, used the value 13001 as the value, and some Babar samples used the values “12075-01” and “11162-01”.
- “ComServer”: these keys contain URL values for controlling C&C servers. All of these addresses were already invalid at the time of our analysis. Legitimate websites were used as domains for these C&C servers, which is a common practice for the Animal Farm cybergroup.
- “Version”: the version of the malware, in our case, the field was set to “1.2”, which is also confirmed by the name of the “din12” directory, the link to which appeared in one of the URLs of the controlling C & C server. Another directory called “d13” was seen in a different address of the Animal Farm C & C server (see section 3.7 “Calling home” of the Babar report ), which indicates the use of other versions of Dino in-the-wild malware.
- “BD_Keys” and “CC_Keys” contain cryptographic keys for encrypting network traffic with a C & C server. The values of these keys begin with the MAGICBOX signature.
- The names of the last three keys (see the screenshot above) are stored in an obfuscated form (“xT0rvwz”, “tr4qa589” and “jopcft4T”) and contain parameters used to work with the malware file system.
The following table indicates the commands that attackers can send to the bot. Each command may have one or more arguments.


One of the above commands is of particular interest, this is the search command. It allows malware operators to search for files on a compromised computer. The search can be quite advanced and can be performed not only by the name mask, but also by other characteristics of the file. For example, an operator may request a search for files with a .doc extension that are larger than 10KB and that have been modified in the last three days. We believe that the main purpose of Dino was to steal files (exfiltration).
When it starts, Dino sequentially executes the commands that are stored in the “InitialCommands” section of the configuration file. The sample we analyzed contained the following commands.
sysinfo
cominfos
! ipconfig / all
! ipconfig / displaydns
! tracert www.google.com
Obviously, these commands are used by operators as intelligence. Their execution is provided by the CMDEXEC module, and in memory the commands are located inside the CMDEXECQ module. The result of these commands is sent to the C & C server.
RamFS: temporary file system
The malicious program uses its (custom) file system called ramFS. It provides the malicious program with a special integrated structure for storing file data in memory, while each of the elements of the file system contains the name of the file used by a regular disk FS. RamFS also supports a set of commands that can be placed in files and then executed. It should be noted that ramFS is also present in other malicious programs of the Animal Farm cybergroup.
RamFS content is initially stored in encrypted form in the configuration file section (associative container key value) under the name “xT0rvwz”. The content decryption key (RC4) is stored as a value in the tr4qa589 element. Once the file system is decrypted, it will be stored in memory as a linked list of 512 byte blocks, each of which is encrypted using RC4. When searching for a file in RamFS, malicious code will decrypt each of these blocks, then process them, and then encrypt again. Thus, work with the file system is organized at the proper level of security.
Below are some high-level characteristics of this FS.
- The name of the files and their contents are presented in Unicode encoding.
- File names are limited to 260 characters.
- After decryption, the malicious code will work with the file data in blocks of 540 bytes.
- The FS does not associate any metadata with the file.
We could not find any known file system whose data structures corresponded to ramFS, therefore, we believe that this file system is a proprietary development of the Animal Farm cybergroup.
The following commands may be executed by malware in the context of the file system.

In the case of Dino, ramFS acts as a secure repository for a file that contains instructions for removing malware from the system. Dino developers call this file the uninstaller (cleaner) and it runs on the system when the bot receives the killBD command. The figure below shows the malicious code that is responsible for executing the uninstaller file. The first thing he does is get the file name from the DataStore structure ("a.ini") mentioned above, why does he get the key to decrypt the contents of ramFS. Next, the file system is mounted in memory for extraction from there and execution of the uninstaller file. The explanatory lines indicated by the developers provide a visual representation of the actions carried out by the malicious code.

The uninstaller executable file contains the line “INSTALL -A“ wusvcd ”–U”, which removes the malicious program from the system. The name "wusvcd" was used when installing Dino on the system. Therefore, ramFS is used as a secure container for files that will be executed by malware on the user's computer. Thus, it offers an execution environment for the programs necessary for the operator in the user system, which leaves very few traces.
Scheduling Tasks
The cronadd, cronlist, and crondel commands are used to add, list, and delete scheduled tasks of the CRONTAB module. The tasks are the Dino teams mentioned above. Malicious program uses cron commandsyntax for scheduling tasks. In particular, the time for which the task is planned is indicated by the line in the following format: “minute hour day month year year weekly”. In addition, this line can be replaced with "@boot" to run the specified command every time the system boots. The following is an example of the output of the cronlist command after the execution of the wakeup command was scheduled for April 7, 2015 at 15:44.

As we can see, each element has its id id, which starts with the value 0xC0. The purpose of the “Local” field remains unclear for us. The “Count” field indicates the number of times the command was executed, the value “-1” means that the command should be executed once. The last field “Visibility” indicates whether the malicious code will inform its C&C server about the success of the command (another possible value is “Silent”).
Origin of Dino
The volume of executable code that is common to all malicious programs of the Animal Farm group leaves little doubt about the answer to its origin. Among the features that are common to these malware are the following.
- At the very beginning of its execution, Dino checks the name of the current process to match the names of the sandboxes processes. The screenshot below shows this check. Similar checks ("klavme", "myapp", "TESTAPP" and "afyjevmv.exe") are present in the Bunny samples and other samples of the Animal Farm malware group.

- To hide calls to various API functions, Dino uses a method that has been seen in use by other Animal Farm malware: Dino calculates a hash of the function name and uses it to find the address of the function in its table. The Dino hash algorithm is similar to that used by Casper; it uses a combination of the ROL function for 7 bits, as well as the XOR operation.
- Dino's own file system, called ramFS, is also used in other malicious programs of the Animal Farm group. In these samples, it is used to store payload files. For example, the following is the ramFS command used by some NBOT droppers.

- Another proof that Dino belongs to the Animal Farm group is the output format of the command to obtain information about the system. It is very similar to the output of a similar command for an updated version of the beacon component of the SNOWBALL implant, which was described in the mentioned CSE slides.


A malicious program has at least two indicators that it was written by developers with good knowledge of the French language.
- The executable file of the malicious program contains a resource with a language code equal to 1036. The main purpose of this resource is to provide developers with the localization of the necessary controls (menus, icons, version information) for different countries in several languages. It should be noted that in the case when the program developer does not manually set this value of the language code, the compiler sets it to the value of the language code of the developer OS. Value 1036 corresponds toFrench language. We believe that this value is not false, because in some other samples of the malware of the Animal Farm cybergroup (e.g. Casper), the language code was set to English (USA). It seems that for those samples, Animal Farm developers simply forgot to set the correct language value and fixed it in the case of Dino. We encountered code 1036 not only in Dino samples, but also in other malicious programs of the Animal Farm group.
- The Dino executable is statically linked with the GnuMP library , which is used to work with large numbers in cryptographic algorithms. This code in the Dino samples contains the following local paths. It can be seen that the French word “arithmetique” is used in the name of the path directory, which corresponds to the English “arithmetic”.
.. \ .. \ src \ arithmetique \ mpn \ mul.c
.. \ .. \ src \ arithmetique \ printf \ doprnt.c
.. \ .. \ src \ arithmetique \ mpn \ tdiv_qr.c
.. \ .. \ src \ arithmetique \ mpn \ mul_fft.c
.. \ .. \ src \ arithmetique \ mpn \ get_str.c
Conclusion
Dino malware shows a good training for authors who used special data structures and their own file system to store configuration data and files. Like other Animal Farm malware, Dino is a product of highly professional and experienced developers. However, the Dino code demonstrates the authors ’poor knowledge or simply their lack of interest in mechanisms that prevent malware analysis, which distinguishes it from Casper. The body of the malware contains many different diagnostic messages by which you can predict the behavior of the program.

All of these messages greatly facilitate understanding of the internal structure of Dino and the actions it performs. However, many of them contain typos.
As for the victims of Dino, we know very little about them. According to the already mentioned CSE presentation, the victims were located in Iran. Below is a presentation slide with information about the victims.

Indicators of compromise (IoC)
