Dino - a new state-sponsored spyware with French roots
In this post, we will look at new malware that its creators have named Dino. Dino is a sophisticated backdoor that was developed by Animal Fram, the cybergroup behind the creation and distribution of such state-sponsored malware as Casper , Bunny and Babar . It contains many interesting features, including those that suggest its development by people who speak French.
The name Animal Farm was given to a cyber group that was mentioned by the Canadian Communications Security Establishment (CSE) in a series of slides in a presentation on the runaway NSA employee Edward Snowden in March 2014. These slides indicate that French intelligence agencies are involved in this group. ). After that, anti-virus companies detected several malicious programs that were created by this cyber group.
')
These malicious programs include:
The link between these malwares and the involvement of the Animal Farm group has been convincingly proven by G DATA researcher Paul Rascagnères. Our study focuses on another malicious program behind which this cyber group stands. She is called Dino.
General information
The malware file we analyzed was used in 2013 in targeted cyber attacks against Iran. The original infection vector remained unknown, however, we believe that Dino was installed by another malicious program, since it contains procedures for removing itself from the system and does not contain a similar installation procedure. Given the set of commands that Dino can receive, we believe that its main purpose is to get files on the infected system and then send them to a remote server (exfiltration).
The name of the malware was left by the authors in its body, as was the case with the other malware Casper, which we mentioned above. Apparently, the name Dino was borrowed from one of the characters in the cartoon "The Flintstones" (The Flintstones). This malware was mentioned in a study of the antivirus company Kaspersky Lab.
In general, we can say that Dino is a complex backdoor, built on a modular principle. Among the technical features, we can mention our own file system, which is used to execute commands in a secretive style, as well as a special complex module that runs as a scheduled task (task-scheduling module) and works in the same way as a cron command in UNIX. The executable file contains many different informational error messages, which leads to the conclusion that the developers of the malware were people with very good knowledge of French.
Malware structure
The malware was written in C ++ and uses a modular architecture. The following list of malware modules was extracted from the Dino executable file. The names of the modules were given by the developers themselves.
Dino uses in its work a special data structure called "DataStore". In particular, all malware modules store their data within this structure, so understanding the format and content of this structure is the key to understanding how malware works in general.
The DataStore structure is an associative container (map) that stores associations (matches) between string keys and values ​​of 8 different data types. The implementation of this data structure is based on a hash table. This means that in order to get the value that is associated with the key, it is necessary to calculate the hash of this key to find the element of the container from which the value will be extracted.
A hash is a one-byte value that is calculated using a series of XOR operations on a key. Each value of the container element is the head of a coherent list that contains key / value pairs. Below is a malicious code snippet that is responsible for retrieving the value associated with the key.
The DataStore structure can also be stored as a simple continuous array in memory, which begins with a special “DxSx” signature. This storage format is used by the PSM module to store the contents of the Dino modules in an encrypted file. When the PSM module needs to save this structure from memory to a file on disk, it saves it in exactly this format. After restarting the malware, its code performs the operation of converting this data into an associative container structure. The key that is used to encrypt the file with the data structure on the disk corresponds to the string "PsmIsANiceM0du1eWith0SugarInside".
As we mentioned above, initially the Dino configuration data is stored as a simple array (the so-called serialized DataStore object) of data stored in the archive and located at the end of the malicious program executable file. During its execution, this data is converted into an associative container and stored in memory within the CORE module. We were able to get a list of the contents of the configuration data using the “conf –l CORE” command, which will be described later. Below is the extracted configuration information.
The purpose of some of the keys is understandable by their name, however, some need a more detailed explanation.
The following table indicates the commands that attackers can send to the bot. Each command can have one or more arguments.
One of the above commands is of particular interest, this is the "search" command. It allows malware operators to search for files on a compromised computer. The search can be quite extended and performed not only by the name mask, but also by other file characteristics. For example, an operator may request a search for files with a .doc extension that are larger than 10KB and that have been modified in the last three days. We believe that the main purpose of Dino was precisely the theft of files (exfiltration).
When it starts, Dino sequentially executes commands that are stored in the “InitialCommands” section of the configuration file. The sample we analyzed contained the following commands.
sysinfo
cominfos
! ipconfig / all
! ipconfig / displaydns
! tracert www.google.com
Obviously, these commands are used by operators as an exploration exercise. Their execution is provided by the CMDEXEC module, and in memory the commands are located inside the CMDEXECQ module. The result of executing these commands is sent to the C & C server.
RamFS: temporary file system
The malicious program uses its (custom) file system called ramFS. It provides a malicious program with a special complex structure for storing file data in memory, with each of the elements of the file system containing the name of the file used by a regular disk file system. RamFS also supports a set of commands that can be placed in files and then executed. It should be noted that ramFS is also present in other Animal Farm cybergun malware.
The contents of the RamFS are initially stored in encrypted form in the section of the configuration file (the value of the key of the associative container) called "xT0rvwz". The content decryption key (RC4) is stored as a value in the "tr4qa589" element. As soon as the file system is decrypted, it will be stored in memory as a coherent list of 512 byte blocks, each of which is encrypted using RC4. When searching a file in RamFS, the malicious code will decrypt each of these blocks, then process them, and then encrypt them again. Thus, work with the file system is organized at the proper level of security.
Below are some of the high-level features of this file system.
We could not find any already known file system, the data structures of which would correspond to ramFS, so we believe that this file system is the own development of Animal Farm cybergroup.
The following commands can be executed by malware in the context of a file system.
In the case of Dino, ramFS serves as a secure storage for a file that contains instructions for removing malware from the system. The Dino developers call this file an uninstaller (cleaner) and it runs on the system when the bot receives the “killBD” command. The figure below shows the malware code that is responsible for executing the uninstaller file. The first thing he does is get the file name from the above-mentioned DataStore structure ("a.ini"), why he gets the key to decrypt the contents of the ramFS. Next, the file system is mounted in memory to extract the uninstaller file from there and execute it. The specified lines with developers give a clear idea of ​​the actions performed by malicious code.
The uninstaller executable file contains the string “INSTALL -A“ wusvcd ”–U”, which removes malware from the system. The name “wusvcd” was used when installing Dino on the system. Therefore, ramFS is used as a secure container for files that will be executed by a malicious program on a user's computer. Thus, it offers the execution environment required by the operator programs in the user's system, which leaves very few traces.
Scheduling tasks
The “cronadd”, “cronlist” and “crondel” commands are used to add, list and delete scheduled tasks of the CRONTAB module. Tasks are Dino commands that are listed above. The malicious program uses syntax similar to the cron command to schedule tasks. In particular, the time for which the task is scheduled to be completed is indicated by the line of the following format “minute day day month year week”. In addition, this line can be replaced with "@boot" to run the specified command every time the system boots. Below is an example of the output of the cronlist command after the execution of the wakeup command was scheduled for April 7, 2015 at 15:44.
As we can see, each element has its own id, which begins with the value 0xC0. The purpose of the “Local” field remains unclear to us. The "Count" field indicates the number of times the command is executed, the value "-1" means that the command must be executed once. The last field “Visibility” indicates whether the malicious code will report to its C & C server about the success of the command (another possible value is “Silent”).
Origin Dino
The amount of executable code, which is common to all the malicious programs of the Animal Farm group, leaves little doubt in answering the question of its origin. Among those features that are common to these malicious programs are the following.
The malware has at least two indicators that it was written by developers with a good knowledge of French.
.. \ .. \ src \ arithmetique \ mpn \ mul.c
.. \ .. \ src \ arithmetique \ printf \ doprnt.c
.. \ .. \ src \ arithmetique \ mpn \ tdiv_qr.c
.. \ .. \ src \ arithmetique \ mpn \ mul_fft.c
.. \ .. \ src \ arithmetique \ mpn \ get_str.c
Conclusion
Malware Dino demonstrates the good preparation of authors who used special data structures and their own file system to store configuration data and files. Like other malware from Animal Farm, Dino is a product of highly professional and experienced developers. However, the Dino code demonstrates poor knowledge of the authors or simply their lack of interest in the mechanisms that prevent the analysis of malware, which distinguishes it from Casper. The body of the malware contains many different diagnostic messages by which you can predict the behavior of the program.
All these messages greatly facilitate the understanding of the internal structure of Dino and the actions it performs. However, many of them contain typos.
As for the victims of Dino, we know little about them. According to the CSE presentation already mentioned, the victims were located in Iran. Below is a slide presentation with information about the victims.
Compromise Indicators (IoC)
The name Animal Farm was given to a cyber group that was mentioned by the Canadian Communications Security Establishment (CSE) in a series of slides in a presentation on the runaway NSA employee Edward Snowden in March 2014. These slides indicate that French intelligence agencies are involved in this group. ). After that, anti-virus companies detected several malicious programs that were created by this cyber group.
')
These malicious programs include:
- Casper, T.N. implant of the first level, which was documented by ESET .
- Bunny, is a backdoor written in Lua, it was documented by the researcher Marion Marschalek (Cyphort).
- Babar, is a malware for cyber espionage, also documented by Marion Marschalek.
The link between these malwares and the involvement of the Animal Farm group has been convincingly proven by G DATA researcher Paul Rascagnères. Our study focuses on another malicious program behind which this cyber group stands. She is called Dino.
General information
The malware file we analyzed was used in 2013 in targeted cyber attacks against Iran. The original infection vector remained unknown, however, we believe that Dino was installed by another malicious program, since it contains procedures for removing itself from the system and does not contain a similar installation procedure. Given the set of commands that Dino can receive, we believe that its main purpose is to get files on the infected system and then send them to a remote server (exfiltration).
The name of the malware was left by the authors in its body, as was the case with the other malware Casper, which we mentioned above. Apparently, the name Dino was borrowed from one of the characters in the cartoon "The Flintstones" (The Flintstones). This malware was mentioned in a study of the antivirus company Kaspersky Lab.
In general, we can say that Dino is a complex backdoor, built on a modular principle. Among the technical features, we can mention our own file system, which is used to execute commands in a secretive style, as well as a special complex module that runs as a scheduled task (task-scheduling module) and works in the same way as a cron command in UNIX. The executable file contains many different informational error messages, which leads to the conclusion that the developers of the malware were people with very good knowledge of French.
Malware structure
The malware was written in C ++ and uses a modular architecture. The following list of malware modules was extracted from the Dino executable file. The names of the modules were given by the developers themselves.
Dino uses in its work a special data structure called "DataStore". In particular, all malware modules store their data within this structure, so understanding the format and content of this structure is the key to understanding how malware works in general.
The DataStore structure is an associative container (map) that stores associations (matches) between string keys and values ​​of 8 different data types. The implementation of this data structure is based on a hash table. This means that in order to get the value that is associated with the key, it is necessary to calculate the hash of this key to find the element of the container from which the value will be extracted.
A hash is a one-byte value that is calculated using a series of XOR operations on a key. Each value of the container element is the head of a coherent list that contains key / value pairs. Below is a malicious code snippet that is responsible for retrieving the value associated with the key.
The DataStore structure can also be stored as a simple continuous array in memory, which begins with a special “DxSx” signature. This storage format is used by the PSM module to store the contents of the Dino modules in an encrypted file. When the PSM module needs to save this structure from memory to a file on disk, it saves it in exactly this format. After restarting the malware, its code performs the operation of converting this data into an associative container structure. The key that is used to encrypt the file with the data structure on the disk corresponds to the string "PsmIsANiceM0du1eWith0SugarInside".
As we mentioned above, initially the Dino configuration data is stored as a simple array (the so-called serialized DataStore object) of data stored in the archive and located at the end of the malicious program executable file. During its execution, this data is converted into an associative container and stored in memory within the CORE module. We were able to get a list of the contents of the configuration data using the “conf –l CORE” command, which will be described later. Below is the extracted configuration information.
The purpose of some of the keys is understandable by their name, however, some need a more detailed explanation.
- "RecID": Animal Farm Cyber ​​Group uses this field in the structure to identify the victim. In the case of the Dino sample we examined, this field contained the value “11173-01-PRS”. Another malware used by this group, Casper, used the number 13001 as its value, and some Babar samples used the values ​​“12075-01” and “11162-01.”
- ComServer: These keys contain the URLs of the managers of the C & C servers as values. All these addresses were already invalid at the time of our analysis. As domains for these C & C servers, legitimate websites were used, which is common practice for Animal Farm cybergroups.
- “Version”: the version of the malware, in our case, the field was set to “1.2”, which is also confirmed by the name of the “din12” directory, the link to which appeared in one of the URLs of the C & C server. Another directory named “d13” was seen at another Animal Farm C & C server address (see section 3.7 of the Babar Report Calling home), which indicates the use of other versions of the Dino in-the-wild malware.
- “BD_Keys” and “CC_Keys” contain cryptographic keys for encrypting the network interaction traffic with the C & C server. The values ​​of these keys begin with the signature "MAGICBOX".
- The names of the last three keys (see screenshot above) are stored in obfuscated form ("xT0rvwz", "tr4qa589" and "jopcft4T") and contain the parameters used to work with the file system of the malicious program.
The following table indicates the commands that attackers can send to the bot. Each command can have one or more arguments.
One of the above commands is of particular interest, this is the "search" command. It allows malware operators to search for files on a compromised computer. The search can be quite extended and performed not only by the name mask, but also by other file characteristics. For example, an operator may request a search for files with a .doc extension that are larger than 10KB and that have been modified in the last three days. We believe that the main purpose of Dino was precisely the theft of files (exfiltration).
When it starts, Dino sequentially executes commands that are stored in the “InitialCommands” section of the configuration file. The sample we analyzed contained the following commands.
sysinfo
cominfos
! ipconfig / all
! ipconfig / displaydns
! tracert www.google.com
Obviously, these commands are used by operators as an exploration exercise. Their execution is provided by the CMDEXEC module, and in memory the commands are located inside the CMDEXECQ module. The result of executing these commands is sent to the C & C server.
RamFS: temporary file system
The malicious program uses its (custom) file system called ramFS. It provides a malicious program with a special complex structure for storing file data in memory, with each of the elements of the file system containing the name of the file used by a regular disk file system. RamFS also supports a set of commands that can be placed in files and then executed. It should be noted that ramFS is also present in other Animal Farm cybergun malware.
The contents of the RamFS are initially stored in encrypted form in the section of the configuration file (the value of the key of the associative container) called "xT0rvwz". The content decryption key (RC4) is stored as a value in the "tr4qa589" element. As soon as the file system is decrypted, it will be stored in memory as a coherent list of 512 byte blocks, each of which is encrypted using RC4. When searching a file in RamFS, the malicious code will decrypt each of these blocks, then process them, and then encrypt them again. Thus, work with the file system is organized at the proper level of security.
Below are some of the high-level features of this file system.
- The name of the files and their contents are in Unicode.
- File names are limited to 260 characters.
- After decryption, the malicious code will work with data files in blocks of 540 bytes.
- FS does not associate any metadata with the file.
We could not find any already known file system, the data structures of which would correspond to ramFS, so we believe that this file system is the own development of Animal Farm cybergroup.
The following commands can be executed by malware in the context of a file system.
In the case of Dino, ramFS serves as a secure storage for a file that contains instructions for removing malware from the system. The Dino developers call this file an uninstaller (cleaner) and it runs on the system when the bot receives the “killBD” command. The figure below shows the malware code that is responsible for executing the uninstaller file. The first thing he does is get the file name from the above-mentioned DataStore structure ("a.ini"), why he gets the key to decrypt the contents of the ramFS. Next, the file system is mounted in memory to extract the uninstaller file from there and execute it. The specified lines with developers give a clear idea of ​​the actions performed by malicious code.
The uninstaller executable file contains the string “INSTALL -A“ wusvcd ”–U”, which removes malware from the system. The name “wusvcd” was used when installing Dino on the system. Therefore, ramFS is used as a secure container for files that will be executed by a malicious program on a user's computer. Thus, it offers the execution environment required by the operator programs in the user's system, which leaves very few traces.
Scheduling tasks
The “cronadd”, “cronlist” and “crondel” commands are used to add, list and delete scheduled tasks of the CRONTAB module. Tasks are Dino commands that are listed above. The malicious program uses syntax similar to the cron command to schedule tasks. In particular, the time for which the task is scheduled to be completed is indicated by the line of the following format “minute day day month year week”. In addition, this line can be replaced with "@boot" to run the specified command every time the system boots. Below is an example of the output of the cronlist command after the execution of the wakeup command was scheduled for April 7, 2015 at 15:44.
As we can see, each element has its own id, which begins with the value 0xC0. The purpose of the “Local” field remains unclear to us. The "Count" field indicates the number of times the command is executed, the value "-1" means that the command must be executed once. The last field “Visibility” indicates whether the malicious code will report to its C & C server about the success of the command (another possible value is “Silent”).
Origin Dino
The amount of executable code, which is common to all the malicious programs of the Animal Farm group, leaves little doubt in answering the question of its origin. Among those features that are common to these malicious programs are the following.
- At the very beginning of his performance, Dino checks the name of the current process to match the process names of the sandboxes. The screenshot below shows this check. Similar checks ("klavme", "myapp", "TESTAPP" and "afyjevmv.exe") are present in the Bunny and other malware samples of the Animal Farm group.
- To hide various API function calls, Dino uses a method that has been seen in use by other Animal Farm malicious programs: Dino calculates the hash of the function name and uses it to find the address of the function in its table. The algorithm for calculating the hash in Dino is similar to that used in Casper, it uses a combination of the ROL function for 7 bits, as well as the XOR operation.
- Dino's own file system, called ramFS, is also used in other Animal Farm malware. In these samples, it is used to store payload files. For example, below is the ramFS command, which is used by some NBOT droppers.
- Another proof that Dino belongs to the Animal Farm group is the output format of the command to get information about the system. It is very similar to the output of a similar command from the updated version of the beacon component of the SNOWBALL implant, which is described in the CSE slides mentioned above.
The malware has at least two indicators that it was written by developers with a good knowledge of French.
- The executable file of the malware contains a resource with a language code of 1036. The main purpose of this resource is to provide developers with localization of necessary controls (menus, icons, version information) for different countries in several languages. It should be noted that in the case when the developer of the program does not set this value of the language code manually, the compiler sets it to the value of the code of the developer's OS language. A value of 1036 corresponds to French. We believe that this value is not false, since in some other samples of the Animal Farm cybergroup malware (ex. Casper), the language code was set to English (USA). It seems that for those samples, Animal Farm developers simply forgot to set the correct language value and fixed it in the case of Dino. The code 1036 was met not only in the samples of Dino, but also in other malicious programs of the Animal Farm group.
- The Dino executable is statically linked with the GnuMP library, which is used to work with large numbers in cryptographic algorithms. This code in the Dino samples contains the following local paths. It can be seen that the name of the path directory uses the French word “arithmetique”, which corresponds to the English word “arithmetic”.
.. \ .. \ src \ arithmetique \ mpn \ mul.c
.. \ .. \ src \ arithmetique \ printf \ doprnt.c
.. \ .. \ src \ arithmetique \ mpn \ tdiv_qr.c
.. \ .. \ src \ arithmetique \ mpn \ mul_fft.c
.. \ .. \ src \ arithmetique \ mpn \ get_str.c
Conclusion
Malware Dino demonstrates the good preparation of authors who used special data structures and their own file system to store configuration data and files. Like other malware from Animal Farm, Dino is a product of highly professional and experienced developers. However, the Dino code demonstrates poor knowledge of the authors or simply their lack of interest in the mechanisms that prevent the analysis of malware, which distinguishes it from Casper. The body of the malware contains many different diagnostic messages by which you can predict the behavior of the program.
All these messages greatly facilitate the understanding of the internal structure of Dino and the actions it performs. However, many of them contain typos.
As for the victims of Dino, we know little about them. According to the CSE presentation already mentioned, the victims were located in Iran. Below is a slide presentation with information about the victims.
Compromise Indicators (IoC)
Source: https://habr.com/ru/post/261683/
All Articles