In August 2020, the NSA and FBI published a joint security alert containing details about a previously undisclosed Russian malware. The entire report can be viewed here
The agencies say that the Linux strain malware has been developed and deployed in real-world attacks by Russian military hackers. The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage operations.”
The name Drovorub comes from a variety of artifacts discovered in Drovorub files, Drovo translates to “firewood” or “wood”, while Rub translates to “to fell, or “to chop.” Together, they translate to “woodcutter” or “to split wood.” Drovorub is like a Swiss-army knife for hacking Linux. The Linux malware toolset consists of an implant coupled with a kernel module root kit, a file transfer and port forwarding tool, and logic for connecting back to a Command and Control (C2) server. Drovorub malware is made up of four executable components: Drovorub-client, Drovorub-agent, Drovorub-kernel module and Drovorub-server.
Installed on actor-controlled infrastructure, enables C2 for the Drovorub-client and Drovorub-agent. mySQL is used by the Drovorub-server to manage the connecting Drovorub-client(s) and Drovorub-agent(s). The database stores data that is used by the Drovorub-agent and client for registration, authentication and tasking.
The Drovorub-client is installed on target endpoints by the actor. The client receives commands from the remote Drovorub-server and offers file transfer to/from the victim, port forwarding, and a remote shell capability. The Drovorub-client is packaged within a Drovorub-kernel module which provides rootkit-based stealth functionality to hide the client and kernel module.
The kernel module implements the stealth, hiding itself and various artifacts from user-space, including specified files and directories, network ports and sessions, the Drovorub-client process, and Drovorub-client child processes.
The Drovorub-agent executable receives commands from its configured Drovorub-server. The agent is likely to be installed on internet-accessible hosts or actor controlled infrastructure. Unlike the Drovorub-client the Drovorub-agent does not include remote shell capability and is purposed based for uploading files to and download files from Drovorub-client endpoints, and forward network traffic through port relays.
The agencies do not say how long the Drovorub malware has been in circulation nor how the bug was discovered, but do point to an August 5, 2019 Microsoft Security Response Center alert linking IP address 126.96.36.199 to Strontium infrastructure in an Internet of Things devices exploit in April, 2019. The NSA and FBI have confirmed that the same IP address was also used to access the Drovorub C2 IP address 188.8.131.52 that same month. No other threat actors are believed to be using Drovorub at this point but other cyber adversaries are expected to deploy similar tools and techniques, the alert stated.
A number of complementary detection techniques effectively identify Drovorub malware activity. The Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale. While packet inspection at network boundaries can be used to detect Drovorub on networks, host-based methods include probing, security products, live response, memory analysis, and media (disk image) analysis. Specific guidance for running Volatility®, probing for file hiding behavior, Snort® rules, and Yara® rules are all included in the Detection section of the NSA/FBI advisory.
To prevent Drovorub’s hiding and persistence technique, system administrators should update to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. System owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system. The advisory carried with it an allied message beyond the malware warning. It signaled the agencies’ intention to share information with the private sector, other government entities and international partners to enable network defenders to “identify and degrade malware activity” and to “counter the capabilities of the GRU,” the agencies said.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide. (Read Multifactor Authentication or MFA)
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: