The U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI) have released a new cybersecurity advisory about a new Linux malware developed and deployed in real-world attacks by Russia’s military hackers.
As per the advisory, the malware dubbed as ‘Drovorub’ is designed to target Linux systems, and is part of cyber espionage operations being carried out by Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28.
What Is Drovorub?
Drovorub is a Linux malware developed for use by the GTsSS. It’s a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer, and port forwarding tool, and a Command and Control (C2) server.
When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled command and control infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. It persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.
“The Drovorub malware suite is comprised of four separate executable components: Drovorub-agent, Drovorub-client, Drovorub-server and Drovorub-kernel module,” the advisory reveals.
“Communication between the components is conducted via JSON over WebSockets. The Drovorub-agent, Drovorub-client, and Drovorub-server require configuration files and an RSA public key (for the Drovorub-agent and Drovorub-client) or private key (for the Drovorub-server) for communication.”
A successful attack using Drovorub allows attackers to execute different malicious processes, such as taking remote control of the victim’s computer and stealing documents that contain commercial secrets and employee personal data.
The malware implements a sophisticated evasion method, it influences advanced ‘rootkit’ capabilities to remain under the radar.
Through their joint alert, the FBI and NSA hope to raise awareness in the U.S. private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
“This Cybersecurity Advisory represents an important dimension of our cybersecurity mission, the release of extensive, technical analysis on specific threats,” NSA Cybersecurity Director Anne Neuberger said.
“By deconstructing this capability and providing attribution, analysis, and mitigations, we hope to empower our customers, partners, and allies to take action. Our deep partnership with FBI is reflected in our releasing this comprehensive guidance together.”
“For the FBI, one of our priorities in cyberspace is not only to impose risk and consequences on cyber adversaries but also to empower our private sector, governmental, and international partners through the timely, proactive sharing of information,” said FBI Assistant Director Matt Gorham.
“This joint advisory with our partners at NSA is an outstanding example of just that type of sharing. We remain committed to sharing information that helps businesses and the public protect themselves from malicious cyber actors.”
Steve Grobman, Chief Technology Officer at cybersecurity company McAfee LLC, told that the technical information released by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cybersecurity defenders.
“Drovorub is a ‘swiss-army knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim’s computer,” Grobman explained.
“In addition to Drovorub’s multiple capabilities, it is designed for stealth by utilizing advanced ‘rootkit’ technologies that make detection difficult. The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time,” the McAfee exec added.
“The United States is a target-rich environment for potential cyber-attacks. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference,” Grobman said.
To prevent attacks, the government agencies recommend U.S. organizations updating any Linux systems that they have (at home or office) to a version running kernel version 3.7 or later.
More information is available on NSA’s fact sheet.