The NSA and FBI recently published a joint security alert detailing a previously unknown strain of Linux malware. The intelligence agencies say the new malware was created and used by Russia’s military hackers in real-world attacks.
The agencies suggest that Russian hackers used the malware, known as Drovorub, to create backdoors on hacked networks, opening the door for further attacks.
Russian Hacking Group Fancy Bear is at it Again
Based on the evidence collected by the two agencies, they claim the malware was put together by known Russian Advanced Persistent Threat APT28/Fancy Bear/Sendit. APT28 is a codename for a group of hackers operating out of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
The two agencies released the alert to bring the malware – and the group behind it – to the attention of the private and public sector in the United States, preparing IT administrators so they can better detect, prevent, and counter infections.
The agencies say that Drovorub is a multi-component system complete with an implant, kernel module rootkit, file transfer tool, command and control (C2) server, and port-forwarding module. They describe the malware as being a “swiss-army knife” of viruses with the ability to perform a range of different functions. The virus allows attackers to exfiltrate sensitive information from a target, assume direct control, and do so much more.
What makes Drovorub particularly dangerous, however, is that the virus is designed to be stealthy and remain undetected. The virus is made with advanced rootkit technologies to make detection and removal even more difficult. This level of stealth allows operatives to infect a range of targets with the virus, establishing a base that lets them launch attacks as they wish.
The United States is filled with targets for potential cyber-attacks. The FBI and NSA didn’t note specific objectives for Drovorub, but they said that the virus could be used for everything from industrial espionage to interfering with the upcoming election.
How to Prevent Drovorub Attacks
The agencies did offer some advice on how to prevent attacks. The first recommendation is that organizations update their Linux systems as soon as possible so that they run on kernel version 3.7 or later. This update provides the latest kernel signing enforcement, which would prevent APT28 from being able to install the Drovorub rootkit.
The joint security alert also includes suggestions on running volatility, checking for hidden files, Snort rules, and Yara rules to improve detection measures. The alert also includes a few interesting observations, such as the name of the virus coming from APT28 and not from the security agencies. The name from the words “drovo” and “rub,” which means “firewood/wood,” and “to chop/to fell,” respectively.
NSA and the FBI were able to link the malware to the group because the hackers used the same servers across different attacks. Drovorub was seen connecting to a C2 server used as part of APT28 operations against IoT devices in 2019.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.