Dubbed Drovorub by the agencies; the malware hacking tool is capable of stealing data and spying on Linux systems.
State hackers have been for long used as a tool by governments to fight other states secretly. While every country has these, there are some like Russia that has a very strong lead in this front which naturally makes its enemies concerned.
Keeping this in mind, just a day ago, both the FBI and NSA have issued a joint alert on Drovorub – a malware they believe to have been developed by the Russian General Staff Main Intelligence Directorate (GRU) to hack Linux based systems.
The group in question is alleged to be APT28 which is also known as
FancyBear, known for using the leaked NSA hacking tools to spy on hotel guests.
Strontium, known for targeting Republicans and conservative officials in the US.
Sednit, known for infecting websites with malware while one of its targets including EFF’s website.
Pawn Storm, accused of hacking live transmission of French TV5Monde and defacing it with ISIS’s logo.
Sofacy, known for running (now seized) VPNFilter botnet domain that infected 500,000 routers.
Tsar Team, known for hacking a prominent plastic surgery clinic and leaking naked photos of patients.
Delving into the details of the malware itself, it can be used to steal files, remotely administer a victim’s computer, spying on users, and much more. Featuring a full-fledged toolkit, it is composed of multiple components:
- A kernel modules operating as a rootkit in order to gain access to the target system
- A port forwarding & file transfer tool: agent
- An implant: client
- A C2 server for communicating with the attackers.
In order to ensure that it is not detected, certain measures are employed by the malware as the agencies state:
The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices (T1014), and persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.
As mitigatory measures, the report recommends administrators to make sure that all Linux systems are updated to at least Linux Kernel 3.7 along with only using modules with valid digital signatures. A way to achieve the latter is to activate UEFI Secure Boot.
To conclude, such a collaboration between 2 government departments greatly helps the private sector of the country adapt accordingly to such threats in time as well.
Furthermore, it also serves as an additional force to independent security agencies that are working round the clock to report and combat such threats. We hope to see more reports of a similar nature in the future while continuing to update you.
Re: malware name “Drovorub”, which as @NSACyber points out translates directly as “woodcutter”
However, more importantly, “Drova” is slang in Russian for “drivers”, as in kernel drivers. So the name likely was chosen to mean “(security) driver slayer" https://t.co/yToULwp3xw
— Dmitri Alperovitch (@DAlperovitch) August 13, 2020