The FBI and NSA warned in a joint report that Russian state hackers are using previously unknown Linux malware to stealthily infiltrate confidential networks, steal confidential information, and execute malicious orders.
In a report unusual for a government agency's depth of technicality, officials said the Drovorub malware was a full-featured toolkit that went undetected until recently. The malware connects to command and control servers run by a hacking group that works for the GRU, Russia's military intelligence agency that is tied to more than a decade of bold and progressive campaigns, many of them national security have done serious harm.
“The information in this Cybersecurity Advisory is being made public to assist national security system owners and the general public in countering the capabilities of the GRU, an organization that empowers allies of the United States and the United States as part of their rogue behavior, including theirs Meddling in, continues to threaten the 2016 US presidential election, as described in the 2017 Intelligence Community Assessment, Assessment of Russian Activities and Intentions in the Recent US Elections (Office of the Director of National Intelligence, 2017), ”the agencies wrote.
Stealthy, powerful and fully equipped
The Drovorub toolset has four main components: a client that infects Linux devices; a kernel module that uses rootkit tactics to gain persistence and hide its presence from operating systems and security measures; a server that runs on an attacker-operated infrastructure to control infected computers and receive stolen data; and an agent that uses compromised servers or computers to control attackers, acting as an intermediary between infected computers and servers.
A rootkit is a type of malware that is buried deep in an operating system kernel and prevents the interface from registering the malicious files or the processes they create. It also uses a variety of other techniques to make infections invisible to normal forms of antivirus. Drovorub also goes to great lengths to camouflage traffic to and from an infected network.
The malware is executed with unrestricted root privileges, giving operators complete control over a system. It offers a comprehensive range of functions that turn malware into a Swiss Army Knife.
Security driver hunters
Government officials said Drovorub got its name from strings of characters that were inadvertently left on the code. "Drovo" roughly means "wood" or "firewood" while "rubbing" means "fallen" or "chop". Taken together, the government said, Drovorub means "lumberjack" or "splitting wood". Dmitri Alperovitch, a security researcher who has spent most of his career investigating Russian hacking campaigns – including those targeting the DNC in 2016 – offered a different interpretation.
"Re: malware name" Drovorub "which, as @NSACyber points out, translates directly to" lumberjack "," Alperovitch, co-founder and former CTO of security company CrowdStrike, wrote on Twitter. “More importantly,“ Drova ”in Russian is colloquial for“ driver ”as it is for kernel drivers. Hence the name was probably chosen to mean "(safety) driver killer".
Subject: Malware name "Drovorub" which, as @NSACyber points out, translates directly as "Lumberjack"
More importantly, "Drova" is slang for "driver" in Russian, like kernel drivers. Hence the name was probably chosen to mean "(security) driver slayer" https://t.co/yToULwp3xw
– Dmitri Alperovitch (@DAlperovitch) August 13, 2020
Serving the national interests of Russia for more than a decade
Drovorub complements an already abundant cache of previously known tools and tactics used by APT 28, the Russian military hacking group that other researchers refer to as Fancy Bear, Strontium, Bauernsturm, Sofacy, Sednit, and Tsar Team. The group's hacks serve the interests of the Russian government as well as target countries and organizations that the Kremlin sees as adversaries.
In August, Microsoft reported that the group had hacked printers, video decoders and other so-called Internet of Things devices and used them as a bridgehead to break into the computer networks to which they were connected. In 2018, researchers from Cisco's Talos group discovered APT 28 infected more than 500,000 consumer routers in 54 countries, which could then be used for a variety of nefarious purposes.
Other APT 28 related campaigns include:
Thursday's recommendation did not identify the organizations Drovorub was targeting or even provided full descriptions of the destinations or regions in which they are located. Nor was it stated how long the malware had been in the wild, how many known infections there had been, or how the hackers were infecting servers. APT 28 often relies on malicious spam or phishing attacks that either infect computers or steal passwords. The group also exploits vulnerabilities on devices that have not been patched.
Agency officials said an important defense against Drovorub is making sure all security updates are in place. The advisory also advised that servers should be running Linux kernel version 3.7 or later, or later, so organizations can take advantage of enhanced code signature protection that uses cryptographic certificates to ensure that an app, driver, or a module comes from a known and trustworthy source and has not been tampered with by anyone else.
"System owners are also advised to configure systems to only load modules with a valid digital signature, which makes it more difficult for an actor to introduce a malicious kernel module into the system," the recommendation says.
It also includes rules that network administrators can hook up to Yara and Snort intrusion detection systems to capture and pause network traffic to or from control servers, or to identify obfuscated drovorub files or processes already running on a server .
The 45-page document offers technical details and in-depth analysis on par with some of the best research from private companies. The advisory is also the first to disclose the existence of this new and advanced malware. These are things that are rarely available in government advice. The report should be readable by anyone who manages a network.