FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia
The United States on Thursday published information on Drovorub, a previously undisclosed piece of malware that Russia-linked cyber-spies are using in attacks targeting Linux systems.
Drovorub, a joint advisory from the NSA and the FBI reveals, is being employed by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, which is better known as the cyber-espionage group APT 28 (Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team).
APT 28 is believed to have launched attacks on NATO countries and Ukraine, and to have orchestrated the attack on DNC ahead of the 2016 elections in the United States. Earlier this year, researchers discovered that the group was hijacking high-profile email accounts to launch phishing attacks.
A proprietary piece of malware, the U.S. government says, Drovorub consists of an implant and a kernel module rootkit (which are installed on target systems), along with a file transfer and port forwarding tool (installed on Internet-accessible hosts), and an accompanying command and control (C&C) server.
On the victim machine, the threat can communicate with the attacker’s C&C, can download and upload files, execute commands with root privileges, perform port forwarding, hide itself to evade detection, and ensure persistence through system reboots.
The NSA and the FBI, which provide full technical details on the Drovorub malware, say that systems running Linux kernel versions of 3.7 or lower are exposed, due to the lack of adequate kernel signing enforcement. Thus, ensuring that systems have the latest vendor-supplied software running on them should keep this threat away.
The advisory also reveals that Drovorub cannot achieve persistence on systems where the UEFI secure boot is enabled in “Full” or “Thorough” mode, thus ensuring that signed kernel modules are being loaded. Enabling secure boot, however, could affect system functionality.
In an accompanying FAQ for the advisory, the agencies note that they have no reason to believe that the malware is being employed by other threat actors as well, but that it expects adversaries to adopt similar tools and techniques in future operations.
“Drovorub represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques, and configuration recommendations in the advisory to reduce the risk of compromise,” the agencies warned.