FBI and NSA Expose Drovorub Malware, APT28's Swiss-Army Knife For Hacking Linux

Russia’s elite state-linked hacking group, Fancy Bear, is reportedly pulling off a latest cyber espionage operation with a highly-capable malware designed to infect Linux systems.

Drovorub - A swiss-army knife

A recent report cum joint security alert by the FBI and NSA provided details on a new kernel module rootkit that has been boasting stealth capabilities against network-wide security solutions.
  • Drovorub is a multi-component malware suite that comes with an implant, a file transfer tool, a kernel module rootkit, a port-forwarding module, and a command-and-control (C2) server.
  • Drovorub malware takes advantage of several functions available to Linux Kernels prior to version 3.7. To make it difficult for network-wide security solutions to catch it, Drovorub is also designed for stealth by utilizing advanced rootkit techniques to gain admin privileges.

The Russian roots

  • Per the two agencies, the Linux malware strain was developed by Russian hackers, and deployed in real-world attacks to plant backdoors inside hacked networks.
  • The malware has been attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, also codenamed as APT28 (Fancy Bear).

Recent APT28 attacks

Active since 2007, the APT28 group has launched several cyber attacks recently, and it has been looking for a target-rich environment.
  • In late July, APT28 was reported to have carried out an attack campaign against US-based government and energy sector organizations, attempting to break into their email servers, Office 365 and email accounts, and VPN servers.
  • In the end of March, security experts had found the Fancy Bear group scanning the internet to find vulnerable webmail and Microsoft Exchange Autodiscover servers on TCP ports 445 and 1433.

Detection and prevention

In the released advisory regarding Drovorub, NSA recommended to install the latest Linux security updates and run up-to-date versions of existing software. The NSA also briefed live response techniques, memory analysis, and disk image analysis techniques as methods to detect and prevent a potential intrusion. Users can also enable the UEFI Secure Boot verification mechanism to allow only legitimate kernel modules to load.