FBI and NSA Exposed Drovorub Malware Plant Backdoors Inside Hacked Network

New Linux Malware “Drovorub” has researched by joint security researchers from FBI and NSA. Both the agencies stated in their “Joint Security Alert” that Russian attackers used this malware to plant backdoors inside hacked networks.

FBI (Federal Bureau of Investigation) and NSA (National Security Agency) officials both have already confirmed based on evidence of attack and claims that the Drovorub Malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the attackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Special center (GTsSS).

What is Droborub Malware?

Drovorub” client provides the capability for direct communications with actor controlled C2 infrastructure, file download and upload capability, execution of arbitrary commands as “Root” and port forwarding of network traffic to other hosts on the network. This Linux malware toolset consisting of implant coupled with kernel module rootkit, a file transfer and port forwarding tool and Command and Control (C2) server.

The Kernel Module rootkit uses verity of means to hide itself and implant on infected devices and persists via restart of an infected machine unless UEFI secure boot is enabled in “FULL” or “Thorough” mode.

Swiss Army Knife: Multi-component malware

As discussed above, this new malware consists of implant, a file transfer tool, port-forwarding module, command and control (C2) server and kernel module rootkit. A “Rootkit” is defined as pieces of malicious code that achieve the root access to the infect4ed machine by gaining admin privilege to the System.

Once the attackers behind this malware gain access to victim’s network, it starts performing several tasks including keylogging, file theft, and disable antivirus or other security software and host of the other operations favored by state-sponsored groups.

“Drovorub Malware” as rootkit allows the malware to load upon boot up which further adds persistence in the infected network and other variants of malware that can causes restart the targeted System several times automatically.

FBI and NSA reported that Drovorub Malware targets the organizations in North America

The report issued by both the agencies doesn’t mention any specific targets. But it can be assumed that the originations in North America will the target of attackers behind this malware campaigns. Due to malware’s stealthy and utilitarian nature, this nasty malware can be used in cyber espionage and election interference. Let’ take have a look at statement of Redmond IT Gaint:

“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting,”

FBI and NSA mentioned Preventative measures

“In addition to NSA’s and FBI’s attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure. For one example, on August 5, 2019, Microsoft Security Response Center published information linking IP address to Strontium infrastructure in connection with the exploitation of Internet of Things (IoT) devices in April 2019. (Microsoft Security Response Center, 2019) (Microsoft, 2019) NSA and FBI have confirmed that this same IP address was also used to access the Drovorub C2 IP address in April 2019.”  

Report published by both the US agencies into great details regarding the technical details of the malware. It includes the guidance for running probing for a file hiding behavior, snort rules, volatility, Yara rules for admin to develop proper detection methods and protect network. When we talk about preventative measures, both the agencies mentioned that the admins should update Linux Kernal to version 3.7 or later and admin should configure Systems in such a way that their System loads modules with valid digital signature.

We are researching on the mater very deeply and we will defiantly post an update if it will come in future. If you have any suggestions or queries regarding “Drovorub Malware”, please write on comment box given below.