'Dino,' French Malware Targeting Iran, Searches for Specific Data and Steals It

A researcher has found traces of yet another targeted French computer espionage operation.

Jun 30 2015, 10:00am

Earlier this year, security researchers tracked down and dissected Babar and Casper, two powerful cyberespionage tools likely created by France's spies.

Now, a researcher has found and analyzed the latest member of the so-called "Animal Farm" of malware, whose computer viruses get names from popular cartoons.

After the elephant with the green tuxedo and the friendly ghost, here's Dino, a spyware programmed to search and surreptitiously steal data from a target's computer, and whose name appears to be inspired by the pet dinosaur from the 60s TV show The Flintstones.

Joan Calvet, a researcher at security firm ESET, has found a single sample of Dino in the wild. It was used to try to infect a target in Iran in 2013, and Calvet found it by "digging" through ESET's virus collections, looking for strains that shared similarities to Babar and Casper. (The malware was briefly mentioned by Kaspersky Lab in a post about the so-called Animal Farm in March, but until now nobody had published details of it.)

"Dino is so hard to find because the group behind the Animal Farm is really good at targeting people precisely, and we basically miss a lot of their samples," Calvet told Motherboard.

"Dino is so hard to find because the group behind the Animal Farm is really good at targeting people precisely."

"I tend to believe Dino was deployed on a very limited number of persons," Calvet added, explaining that it's unusual to have only one sample of a certain malware, no matter how targeted.

Calvet said that unfortunately, he doesn't have data on who was the precise target of the Dino sample he found—nor what the attackers were after. All we know, he said, is that the target was someone, or some organization, inside of Iran.

That clue, however, seems to confirm that Dino is part of the same family of malware than Babar, and Casper, and was likely created by the same authors, according to Calvet.

In a document leaked by Edward Snowden and published last year, the Canadian intelligence agency Communications Security Establishment (CSE) concluded with "moderate certainty" that Babar was part of "a French intelligence agency" hacking operation against Iranian government targets.

Given that Babar, Casper, Dino and another malware strain named Bunny share some code and unique features, researchers are convinced that the same group is behind all of them.

Who is that group, however, is not entirely clear, although all signs point to France's spying agency, the General Directorate for External Security (DGSE).

France's Defense Ministry, as well as the country's embassy in the United States, did not respond to Motherboard's requests for comment.

Calvet, who is publishing the results of his research in a blog post on Tuesday, said that there's no data inside Dino that proves that the DGSE was behind it, but he said is "very confident" that the authors are the same as the ones behind Babar and Casper, and that they are French speaking.

A "beacon" command contained inside of Dino looks like an "updated version" of a similar command shown in one of the leaked CSE slides, according to Calvet's research.

"I couldn't find any other malware using the same field names," Calvet said, arguing that this is a clear sign that Dino is connected to Babar.

In fact, Babar was described as a sophisticated platform that can be used to deploy other malware implants with different functionalities. Dino is likely one of them, more specifically the final payload or backdoor, according to Calvet.

Given how hard it was to find, perhaps the authors thought they'd never get caught.

Some code inside of Dino shows file paths containing the word "arithmetique," the French word for "arithmetic," and the language code is set to French, according to the report. These clues, according to Calver, point to French developers being behind Dino.

The developers also left a lot of comments inside the code, something that's unusual for a piece of malware, according to Calvet. These messages, full of spelling mistakes, gave him "substantial help" in understanding how the malware worked.

"I can't really explain why they provided so much information," Calvet told Motherboard. Perhaps the authors didn't care if someone analyzed the malware; perhaps, given how hard it was to find, they thought they'd never get caught.

"And they were almost right…:)" Calvet said in an encrypted chat.