It seems that the Russian GRU’s hacking squad (aka Fancy Bear) have been busy again.
The FBI and NSA have recently issued a joint heads-up relating to a new strain of Linux malware that’s been traced back to the Fancy Bear stable.
Dubbed Drovorub, the capabilities of this malware strain have been likened to a swiss-army knife. Once successfully deployed, Drovorub gives the attacker unfettered access to the target system, while hiding itself from discovery.
Here’s a closer look at Drovorub and at what you can do to prevent infection.
What is Drovorub?
Loosely translated as “woodcutter”, Drovorub is a malware toolset made up of four components: the Drovorub kernel rootkit, Drovorub-server, Drovorub-client, and Drovorub-agent.
Here’s how these components fit together:
- The kernel rootkit is the first element to be installed. It creates system hooks designed to mask all Drovorub-associated processes, files, sockets and filter components.
- The Drovorub-server is the malware’s command and control (C2) element. Using this, the hacker can issue commands to the client and agent elements.
- The Drovorub-client is installed on the target by the hacker. This receives and executes commands from the server. It can transfer files to and from the victim. It also has a remote shell capability, potentially giving the hacker root privileges (i.e. complete remote control over the Linux machine).
The Drovorub-agent is similar to the client but without the remote shell capability. Its main use is for certain file transfer tasks and for forwarding.
What damage can Drovorub do?
Drovorub opens the door to a variety of reconnaissance operations on a targeted network. Its remote shell capabilities mean that a hacker can potentially view, host, retrieve and manipulate files without the administrator knowing anything about it.
Here’s how this can impact an organization:
- Loss of critical information, intellectual property, personal data and corporate secrets.
- It gives threat actors an invisible foothold, enabling them to potentially spy on a network over an extended period of time.
- Once an asset has been compromised with Drovorub, it opens the door to other types of malware being installed.
Who is behind Drovorub?
In their joint security alert, the FBI and NSA claimed that the malware is the work of APT28 (aka Fancy Bear). This is a hacking unit linked to the Russian General Staff Main Intelligence Directorate (GRU).
In broad terms, this group’s mission is to weaken and intimidate governments and organizations deemed as hostile to Russian interests. Favoured activities have included election meddling, fake news distribution and the collection and dumping of sensitive data.
This also includes more mainstream industrial espionage: i.e. targeting private businesses, possibly with an eye to using them as staging posts in bigger operations.
So how do they know it’s Fancy Bear? Apparently they’ve been reusing command & control servers. Drovorub is connected to a C&C server that was previously used for an APT28 operation targeting IoT devices early last year.
How do you detect Drovorub?
The joint NSA/FBI guidance sets out a number of detection techniques organizations can deploy to detect Drovorub activity. These include network and host-based detection, memory and disc image analysis. The full list is here.
Mitigating the threat
To prevent Drovorub’s rootkit to be installed (thereby stopping its ‘hiding and persistence’ technique), system administrators should update to Linux Kernel version 3.7 or later.
Malicious kernel modules are a common method for loading rootkits onto a Linux system. The latest Linux versions feature signed kernel module support, which stops kernel modules from loading, unless they have a valid signature.
You should definitely apply Linux updates and configure your system to prevent the introduction of malicious kernel modules. But as the joint guidance states, these steps are designed to prevent Drovorub’s persistence and hiding technique only. They don’t protect you against the initial infiltration. For this, always remember the importance of good cyber-hygiene:
- Keep on top of security updates.
- Make sure that secure configurations are applied to all devices.
- If you have no choice but to run a particular device on an out-of-date platform, make sure this is segregated from the rest of the network.
- Only grant the minimal needed privileges to user applications.
- Use multi-factor authentication where possible, especially for administrative accounts.
- Utilize system monitoring and alerts so that unusual network activity can be flagged up as early as possible.
- Reinforce IT safe usage policies through regular training (e.g. spotting phishing attempts and avoiding unsafe attachments).
Linux mastery starts here
Want to know more about Linux systems and Linux Security? Our new The Complete Linux Skills Bundle is designed to get you from beginner to power user via a series of easy-to-follow on-demand videos, articles and other resources. To take your Linux and security skills to the next level, it’s a must. Enrol here. [On sale now]
Thank you Nathan for a great and concise article on this threat, Drovorub.
My pleasure.
Hey Nathan, i had no Int-Acc for a while so i am behind. Your above article is a treacherous and frightining peace of information and i am glad i have read it. Again i thank you. as you might have noticed, i use a VPN so i may be a little harder to fish out. i get strange emails about hacking courses with misspelled words. i never click the their links and read the small print. Thanks alot Man…..
Hope for the best. Plan for the worst.
I am learning defence in depth at the moment and pressed the announcements to my horror reading about this Drovorub this is serious business. I have just started learning about cyber security but never thought how serious are these threats. Thanks for informing me I also often get those emails Nathan and some from HMRC which all are hackers tool to get into our PC’s. Thanks Nathan, I have a strong VPN to counter the threats.