FBI And NSA Expose New Linux Malware Drovorub, Used By Russian State Hackers

The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia's military hackers.

The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.

Based on evidence the two agencies have collected, FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).

Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.

Per the two agencies, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

"Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer," McAfee CTO, Steve Grobman, told ZDNet in an email today.

"In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult," the McAfee exec added. "The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time."

"The United States is a target-rich environment for potential cyber-attacks. The objectives of Drovorub were not called out in the report, but they could range from industrial espionage to election interference," Grobman said.

"Technical details released today by the NSA and FBI on APT28's Drovorub toolset are highly valuable to cyber defenders across the United States."

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, "in order to take full advantage of kernel signing enforcement," a security feature that would prevent APT28 hackers from installing Drovorub's rootkit.

The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.

Some interesting details we gathered from the 45-page-long security alert:

• The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
• The name comes from drovo [дрово], which translates to "firewood", or "wood" and rub [руб], which translates to "to fell", or "to chop."
• The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.