Published on July 01, 2015

Analysis of Dino, the French APT

Eset published the analysis of Dino, a recently discovered APT that seems to be tied to the Animal Farm, the same group that allegedly developed Casper, Babar (previously analyzed by ReaQta) and Bunny.

Dino appears to be quite sophisticated and extremely curious when it comes to data. Beyond any doubt it’s been developed as a data exfiltration tool. even though most of its functionalities can be used as a bridge to deploy new malware and new modules on the compromised machine. After obtaining a live sample we’ve run it inside one of our hosts.
The infection process is blocked in the earliest stage by the A.I. engine that immediately detects a process impersonation attempt. Further analysis shows that indeed the first infection stage tries to infect svchost.exe and run from there, the technique is effective since the Antivirus installed on the test machine didn’t notice anything. Looking at the code we can see what are the steps involved.
The target, as confirmed by our analysis engine, is svchost.exe that is replaced by Dino’s code and then resumed on the new entry point.
Dino has a wide range of capabilities and it is actively interested in the content of the user’s folder and his/her browsers’ profiles.
In order to access the internet, even when a network proxy is in use, the default browsers are checked and their settings inspected. This is another indicator that this malware has been developed to target corporate and institutional targets as opposed to home networks.
This malware has a wide range of commands available and the picture shows a part of them:
A more thorough analysis shows that Dino is fully capable of downloading new components, run them, schedule new tasks and update itself. The encrypted file system is probably one of the most interesting and smart features that is certainly not very common. Without any doubt this is an interesting APT, certainly aimed at data exfiltration but potentially capable of much more through the usage of new modules while keeping it under the radar without being too intrusive on the system.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!