Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Fraud Risk Management

Alert: Russian Hackers Deploying Linux Malware

Alert From NSA and FBI Warns of Drovorub Malware Used by 'Fancy Bear' Group
Alert: Russian Hackers Deploying Linux Malware
The components that make up the Drovorub Linux malware used by Russian hackers (Source: NSA and FBI)

An alert from the U.S. National Security Agency and the FBI warns of a recently discovered Russian-deployed malware variant called Drovorub that’s designed to target Linux systems, creating a backdoor into targeted networks to exfiltrate data.

See Also: Hackers Are Coming For Your Cloud-Based Applications

Drovorub is being deployed by the Russian-backed hacking group known as "Fancy Bear" or APT28, which is part of the military unit 26165 of the Russian General Staff Main Intelligence Directorate or GRU, according to the alert.

The alert warns that the Russian hackers are likely to target Linux systems used by private companies or government agencies that are associated with national security or defense projects.

"Information in this cybersecurity advisory is being disclosed publicly to assist national security system owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. presidential election," according to the alert issued Thursday.

The FBI and NSA are encouraging organizations that use Linux to upgrade to Linux Kernel 3.7 or a later version and "configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system."

Links to GRU

Analysts have linked Drovorub to the Russian hackers working for the GRU, the alert states, noting that the command-and-control infrastructure associated with this campaign had previously been used by the Fancy Bear group.

An IP address linked to a 2019 Fancy Bear campaign is also associated with the Drovorub malware activity, according to the report.

The Drovorub toolkit has several components, including a toolset consisting of an implant module coupled with a kernel module rootkit, a file transfer and port forwarding tool as well as a command-and-control server. All this is designed to gain a foothold in the network to create the backdoor and exfiltrate data, according to the alert.

How the Drovorub malware works within an infected network (Source: NSA and FBI)

"When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled [command-and-control] infrastructure; file download and upload capabilities; execution of arbitrary commands as 'root'; and port forwarding of network traffic to other hosts on the network," according to the alert.

Steve Grobman, CTO at the security firm McAfee, notes that the rootkit associated with Drovorub can allow hackers to plant the malware within a system and avoid detection, making it a useful tool for cyberespionage or election interference.

"The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time," Grobman tells Information Security Media Group. "Attackers can launch cyber warfare campaigns to inflict significant damage or disruption and do so without geographic proximity to their target. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference."

Detection and Mitigation

Although Drovorub provides rootkit-based stealth functionality, the malware can be detected and prevented using a number of techniques, the alert notes.

These include using network intrusion detection systems to identify the command-and-control system infrastructure and the messages sent between the malware and the server.

The alert also recommends deploying endpoint detection and memory correction tools, such as LiME and Volatility, to uncover malicious behavior.

Targeting Linux Systems

Attacks targeting Linux devices have steadily increased this year.

In June, security firms BlackBerry and KPMG reported that ransomware called Tycoon has been selectively targeting education and software companies running on Linux since December 2019 (see: Report: Tycoon Ransomware Targets Windows, Linux Systems).

In May, Kaiji, a newly discovered botnet, compromised Linux servers and IoT devices using brute-force methods, according to security firm Intezer (see: Kaiji Botnet Targets Linux Servers, IoT Devices).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.