This threat report is about the Drovorub malware, which has been attributed to the Russian military unit known as the GRU (Organization of the Main Intelligence Administration).
The malware affects Linux systems and utilizes a unique method of persistence within an infected host. The malware is a part of the intelligence operations of APT28 (Advanced Persistent Threat).
Drovorub malware operates as an installable agent on Linux hosts, performing a variety of reconnaissance operations on the network. The malware operates as a rootkit in conjunction with a toolset allowing for the ability to remain undetected. The client communicates with the command and control (C&C) server running a different version of the Drovorub software package.
Related Reading: Netwalker Ransomware Offered as Ransomware-as-a-Service Creating Increased Prevalence
The Drovorub server maintains a mysql database of all the installed agents in the wild. The database manages the requests sent by the individual agents and handles the tasking process. The server authenticates each agent before issuing commands to the Drovorub agent.
The Drovorub client receives instructions from the server and starts the execution of those commands. The client can transfer files from the affected host or retrieve files from the command and control server. The agent can also port forward network traffic to hide its presence. It can open a remote shell for the bad actor as needed.
The client is packaged with a callback URL for the Drovorub server, a username/password for authenticating with the server, and an RSA public key for facilitating the authentication process with the server.
The kernel module is the rootkit element of this malware campaign. It hides the Drovorub malware’s activities from the administrator by not making the operations viewable to the userspace. It hides all the file manipulation and the network sessions created by the Drovorub malware. All the communication between the various components is done by JSON over WebSockets.
Related Reading: SIGRed “Wormable” DNS Server Vulnerability is Critical to Address
We recommend you perform the following actions on your critical assets running the Linux operating system:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!