In this blog we describe a sophisticated backdoor, called Dino by its creators. We believe this malicious software has been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and Babar malware. Dino contains interesting technical features, and also a few hints that the developers are French speaking.
Animal Farm is the security industry’s name for a group of attackers first described by Canada’s Communications Security Establishment (CSE) in a set of slides leaked by Edward Snowden in March 2014. In those slides CSE assess with “moderate certainty” that this group is a French intelligence agency. Since then, several examples of malware created by Animal Farm have been found and publicly documented, in particular:
- Casper, a stealthy first-stage implant, documented by ESET in last March
- Bunny, a Lua-based backdoor, documented by Marion Marschalek (Cyphort)
- Babar, an espionage platform, also analyzed by Marion Marschalek
The connection between those pieces of malware and the group described in CSE slides has been convincingly established, for example by Paul Rascagnères (G Data).
In this blog post we add a new piece to the puzzle with Dino, another malicious program belonging to Animal Farm’s arsenal.
Full Story @ [welivesecurity]