Threat Report: What is the Drovorub Malware and How Does it Work?

Druvorub can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network. Druvorub has de-obsfuscated XOR encrypted payloads in WebSocket messages. Additionally, Druvorub can exfiltrate files over C2 infrastructure. 

Druvorub can transfer files from the victim machine. Druvorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request. Druvorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view. Druvorub can use TCP to communicate between its agent and client modules and execute arbitrary commands as root user on the system.

Drovorub Malware Capabilities:

Drovorub may use a number of techniques to hide its presence and avoid detection, including using internal proxies to direct command and control traffic, obfuscating files and information, and encrypting or encoding data. It may also use rootkits to hide programs, files, and other system components, and may communicate using application layer protocols associated with web traffic.

• Drovorub may use internal proxies to manage command and control communications inside a compromised environment and steal data by exfiltrating it over an existing command and control channel. 
• The Drovorub malware may search local system sources for files of interest and sensitive data, communicate using application layer protocols, and modify the kernel to automatically execute programs.
• Drovorub is a piece of malware that uses rootkits to hide its presence and make it difficult to detect and analyze. It may also use a variety of protocols for communication, making it hard to track.
• Drovorub may abuse Unix shell commands and scripts for execution in order to gain control of a system. They may also transfer tools or other files from an external system in order to gain access to victim devices within a network. Once present, adversaries may also delete any files that could be used to trace their activity.

Ways to Mitigate Drovorub Malware Attacks 

• The Drovorub malware can be mitigated by analyzing network data for unusual data flows and by monitoring process and command-line activity for potentially malicious behavior.
• The Drovorub malware can be mitigated by monitoring processes and command-line arguments for actions that could be taken to collect files from a system, analyzing network data for uncommon data flows, and monitoring for commands that load, unload, or manipulate modules on Linux systems.
• The best way to mitigate Drovorub malware is to use a combination of rootkit detection tools and monitoring for changes in devices, services, and the MBR. It may also be possible to detect the malicious activity that caused the obfuscated file.
• The Drovorub malware can be mitigated by monitoring for file creation and files transferred in the network.