Animal Farm APT is the first French speaking APT detected. It is worth noting that French is the official language of 29 countries. According to slides referencing Operation Snowglobe, released by Edward Snowden and Der Spiegel in January 2015, Animal Farm is a cyber threat group sponsored by France. The Animal Farm APT is suspected to be a component of the French Directorate-General for External Security (DGES), which is France’s external intelligence agency. The cyber threat group began development of its toolkit in 2007 and it has been actively launching attack campaigns since 2009. The purpose of the group is to conduct cyber espionage and denial of service campaigns against political targets using traditional cyber attack vectors, 0-day exploits, and a custom multi-tier malware platform.

Animal Farm APT targets government entities, activists, private companies, journalists, media outlets, and defense contractors in Syria, Iran, Malaysia, the United States, China, Turkey, the Netherlands, Germany, Great Britain, and Russia with spear phishing and watering hole attacks.

The Animal Farm trojans can be grouped into six families. The NBot malware is a standard botnet kit capable of enslaving systems and leveraging their resources in aggregate to conduct DDoS attacks. The EvilBunny trojan and its variants are validator trojans that were used in spear phishing attacks in 2011. The trojans were delivered through malicious PDF files through the 0-day exploitation of a vulnerability in Adobe reader. The trojan checks whether an emulator is running, what directory it is running from, whether its payload timestamp has been changed, and what time the API hook was detected. Bunny is designed as an execution platform for the attacker to inject Lua scripts into victim system processes.

The Casper and Tafacalou trojan families are also validator trojans. Casper is designed to persist and to track victim online activity. Casper is delivered via watering-hole attacks while Tafacalou may be delivered through spear phishing or watering-hole attacks. The Tafacalou malware is the used to deliver either the Dino espionage platform or the Babar espionage platform onto the victim host.

Babar is a spyware toolkit capable of logging keystrokes, monitoring web activity, taking screenshots, capturing audio, copying clipboard data and eavesdropping on online conversations that are conducted over popular messaging platforms (Skype, MSN, Yahoo messenger, etc.). Babar obfuscates its activity by hooking into the APIs of remote processes through a series of named pipes. Babar may have been used to spy on Iranian nuclear research facilities and European financial institutions.

Dino is a modular malware capable of executing Ccy2C commands and Windows batch commands, searching for specific files, uploading and downloading files from the C2C infrastructure, scheduling its own command executions, killing processes, and removing itself from the victim system. The PSM module is the encrypted on-disk copy of Dino’s components. The CORE module stores configuration and the ENVVAR module stores environment variables. The CRONTAB module schedules tasks. Meanwhile, the CMDEXECQ module stores the queue of commands executed by the CMDEXEC component. Finally, the FMGR module manages file uploads and downloads.


Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google