Dino Malware exposed: Found Spying on Iran and Syria

Links traced to “Animal Farm” group and State Sponsored cyber criminals who already have targeted Syrian and Iranian computers in 2013.

Bratislava, Slovakia-based security firm ESET’s researchers have identified a very sophisticated Trojan that attacked Iranian and Syrian subjects in 2013 while rumor is that the group is a secret wing of the French Intelligence service.

The Trojan has been named Dino because it was supposedly created by the so-called Animal Farm Group, which also created other Trojans like Bunny, Casper and Babar. Casper malware’s claim to fame is that it was involved in a large-scale attack on computer systems in Syria last fall.


ESET claims that “Dino’s main goal seems to be the exfiltration of files from its targets”.

In a blog post from ESET researcher Joan Calvet, Dino malware was described as,

“An elaborate backdoor built in a modular fashion. We believe this malicious software has been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and Babar malware.”

Calvet further added that “the amount of shared code between Dino and known Animal Farm malware leaves very little doubt that Dino belongs to Animal Farm’s Arsenal.”

Dino malware was recently mentioned by researchers at Kaspersky as well and they described it as a “full featured espionage platform that comes with fabriqué en France” stamp on it.”

According to Kaspersky, Dino is distributed by a malware package called Tafacalou. The vast majority of Tafacalou victims have been in Syria, Iran, and Malaysia—with the US and China trailing far behind.

The analysis of Dino’s code was based on a sample that infected Iranian computer systems in 2013.

Joan Calvet writes that “Among its technical innovations, there is a custom file system to execute commands in a stealthy fashion, and a complex task scheduling module working in a similar way to the ‘cron’ Unix command. Interestingly, the binary contains a lot of verbose error messages, allowing us to see Dino’s developers’ choice of wording. Also, Dino contains interesting technical features, and also a few hints that the developers are French speaking.”

It is apparent that Dino shares quite a few of its attributes with the “Animal Farm” malware family and it can be termed as an improvised version of the techniques of “Babar,” which was the intelligence-gathering software implant of the previous generation.


Related Posts