The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is deploying previously undisclosed malware for Linux systems, called Drovorub, as part of its cyber espionage operations. GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers.
Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.
A number of complementary detection techniques effectively identify Drovorub malware activity. However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale. While packet inspection at network boundaries can be used to detect Drovorub on networks, host-based methods include probing, security products, live response, memory analysis, and media (disk image) analysis.
To prevent a system from being susceptible to Drovorub’s hiding and persistence, system administrators should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.
Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system.
The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.