Dubai: The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have jointly issued a security alert containing details about a new strain of Linux malware – Drovorub – developed and deployed by Russia’s military hackers.

Drovorub is proprietary malware developed for use by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165.

GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers.

It is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server.

Offensive cyber capabilities

When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.

Matt Walmsley, EMEA Director at Vectra, said that the analysis of “Drovorub” provides a reminder that Russian offensive cyber capabilities remain in the top tier of nation states.

“It’s pleasing to see the NSA/FBI’s alert identify the tactics, techniques and procedures (TTP) used by “Drovorub” to map against the Mitre Att&ck framework. That mapping provides practical help to security teams needing to quickly validate their technical controls and their ability to detect the various stages of attacker behaviour such as Drovorub’s diverse use of stealthy command and control techniques,” he said in an email interview to TechChannel News.

Steve Grobman, CTO at McAfee, said that the US is a target rich environment for potential cyber-attacks and the objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference.

Makes detection difficult

Drovorub is a ‘swiss-army knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim’s computer. 

In addition to Drovorub’s multiple capabilities, he said that it is designed for stealth by utilising advanced “rootkit” technologies that make detection difficult.

“The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time. Attackers can launch cyber warfare campaigns to inflict significant damage or disruption and do so without geographic proximity to their target,” he said.

To prevent a system from being susceptible to Drovorub’s hiding and persistence, FBI and NSA have urged system administrators to update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.

“Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system,” the government agencies said.