NSA and FBI expose Russian 'Drovorub' malware used to target Linux systems

The malware is being deployed in real-world attacks by hackers working for Russian military intelligence unit, they state

The US National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) have issued a joint advisory, warning organisations of Drovorub malware that is being used by Russian threat actors to spy on Linux systems.

As per the advisory, Drovorub is designed to target Linux systems, and is part of cyber espionage operations being carried out by Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

The cyber activities of GTsSS unit 26165 are sometimes identified as APT 28, Fancy Bear, or Strontium by private cyber security firms.

According to the NSA, Drovorub toolkit comes with an implant, a file transfer tool, a kernel module rootkit, a command and control server and a port-forwarding module. A successful attack using Drovorub allows attackers to carry out a variety of functions, such as taking remote control of victim's computer and to steal sensitive data from the system.

The malware is also capable of hiding itself in the victim machine by using advanced rootkit technologies. Other features of this malware include ability to upload/download files, executing arbitrary commands with root privileges, communicating directly with C&C infrastructure, and being able to forward network traffic to other systems on the network.

"The Drovorub malware suite is comprised of four separate executable components: Drovorub-agent, Drovorub-client, Drovorub-server and Drovorub-kernel module," the advisory reveals.

"Communication between the components is conducted via JSON over WebSockets. The Drovorub-agent, Drovorub-client, and Drovorub-server require configuration files and an RSA public key (for the Drovorub-agent and Drovorub-client) or private key (for the Drovorub-server) for communication."

To mitigate threats posed by Drovorub malware, the NSA recommends organisations to update their Linux systems to a version running kernel version 3.7 or later. That allows organisations to take "full advantage of "kernel signing enforcement" feature in Linux systems.

Admins are also advised to enable the UEFI Secure Boot verification mechanism, which would allow loading of only genuine kernel modules.

The NSA says it was able to link Drovorub malware to APT28 after noticing reuse of C&C server across multiple operations. The server that was utilised in Drovorub operations was also previously used by APT28 in operations to target IoT devices in 2019.

In March, researchers from cyber security firm Trend Micro reported that APT28 was using previously hacked email accounts to facilitate credential phishing attacks against high-profile targets in the Middle East.

The firm said that nearly 38 per cent of the attacks launched by the group were targeted at the defence sector, while the rest of the attacks attempted to compromise government, construction and banking organisations.

APT28 is thought to have infiltrated the networks of the Democratic National Committee (the governing body of the US Democratic Party) in 2016. Nearly two years after that intrusion, the US Department of Justice linked the group with Russia's Main Intelligence Directorate of the Russian General Staff.