A report on malware used by hackers linked to Russia. In a detailed document, the two corporations mention the operation of the Drovorub malware that the APT28 (Fancy Bear) group uses to hack government offices, political parties, and defense departments around the world.
Drovorub, which translates to “lumberjack”, was developed by the 85 Special Service Center (GTsSS) of the General Intelligence Directorate of the Russian General Staff. Malware attacks Linux-based systems that are out of date in order to compromise and steal information.
Drovorub is a malicious suite made up of four modules and uses a variety of techniques to hide and evade detection. And it is concerning not only because of the steps it takes to hide itself, but also because of the root-level privileges it is able to achieve.
What did Drovorub do?
Drovorub is a Linux machine malware toolkit consisting of an implant, along with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server.
When deployed on an attacked machine, the Drovorub (client) implant provides the ability to directly communicate with the attacker-controlled infrastructure; file upload and download capabilities; executing arbitrary commands as “root” and port forwarding network traffic to other hosts.
According to the description by the US cybersecurity department:
Drovorub is a Linux malware toolkit consisting of an implant along with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. When deployed on a victim machine, the Drovorub (client) implant provides the capability for direct communications with the actor-controlled C2 infrastructure; file upload and download capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.
It is recommended to upgrade Linux machines to kernel version 3.7 or later to avoid being susceptible to attack, as well as taking precautions to ensure that only modules with valid digital signatures are loaded.
[…] reads:Drovorub – A Malware based on Linux systemDiscreet Linux – A distro for security against […]
[…] reads:Drovorub – A Malware based on Linux systemVovalex – Ransomware posing as Windows […]