FBI and NSA joint report details APT28’s Linux malware Drovorub

The FBI and NSA issue joint alert related to new Linux malware dubbed Drovorub that has been used by the Russia-linked APT28 group.

The FBI and NSA have published a joint security alert containing technical details about a new piece of Linux malware, tracked as Drovorub, allegedly employed by Russia-linked the APT28 group.

The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”

The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

The agencies published the alert to warn organizations in both the US private and public sectors about the new threat and urge them to adopt the necessary countermeasures.

Drovorub is a modular malware that includes the implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.” reads the joint report. “A number of complementary detection techniques effectively identify Drovorub malware activity. However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale.”

Drovorub could allow state-sponsored hackers to carry out a broad range of activities, such as stealing files, establishing backdoor access, remote controlling the target’s computer. The malware implements a sophisticated evasion technique, it leverages advanced ‘rootkit’ capabilities to remain under the radar.

The government agencies recommend that US organizations update any Linux system to a version running kernel version 3.7 or later to prevents Drovorub’s rootkit infections.

The alert suggests running Volatility, probing for file hiding behavior, and includes snort rules and Yara rules to detect the threat.

Experts also revealed that packet inspection at network boundaries can be used to detect Drovorub on networks, while host-based methods to detect the threat include probing, security products, live response, memory analysis, and media (disk image) analysis. Experts also suggest system owners to load only signed modules with a valid digital signature.

The FBI and NSA attribute the Drovorub malware to APT28 due to the reuse of the C2 infrastructure in different operations, including a past campaign targeting IoT devices in 2019.

Let me suggest to read the report, it is full of interesting info about the threat.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Drovorub malware)

[adrotate banner=”5″]

[adrotate banner=”13″]