Russian Drovorub malware affects Linux Systems

Drovorub Malware Overview

This threat report is about the Drovorub malware, which has been attributed to the Russian military unit known as the GRU (Organization of the Main Intelligence Administration).

The malware affects Linux systems and utilizes a unique method of persistence within an infected host. The malware is a part of the intelligence operations of APT28 (Advanced Persistent Threat).

Drovorub Tactics, Techniques, and Procedures

Drovorub malware operates as an installable agent on Linux hosts, performing a variety of reconnaissance operations on the network. The malware operates as a rootkit in conjunction with a toolset allowing for the ability to remain undetected. The client communicates with the command and control (C&C) server running a different version of the Drovorub software package.

Malware Components

Source: Russian GRU 85th GTsSS
Deploys Previously
Undisclosed Drovorub Malware

The Drovorub server maintains a mysql database of all the installed agents in the wild. The database manages the requests sent by the individual agents and handles the tasking process. The server authenticates each agent before issuing commands to the Drovorub agent.

The Drovorub client receives instructions from the server and starts the execution of those commands. The client can transfer files from the affected host or retrieve files from the command and control server. The agent can also port forward network traffic to hide its presence. It can open a remote shell for the bad actor as needed.

The client is packaged with a callback URL for the Drovorub server, a username/password for authenticating with the server, and an RSA public key for facilitating the authentication process with the server.

The kernel module is the rootkit element of this malware campaign. It hides the Drovorub malware’s activities from the administrator by not making the operations viewable to the userspace. It hides all the file manipulation and the network sessions created by the Drovorub malware. All the communication between the various components is done by JSON over WebSockets.

Authentication Model

How Drovorub Affects You

May lead to the loss of critical information and corporate secrets.
May provide a foothold for a nation-state-level threat actor to perform reconnaissance operations on the network.
May lead to the propagation of the malware on the affected asset.

What You Can Do about Drovorub

We recommend you perform the following actions on your critical assets running the Linux operating system:

Limit the use of root account on the system.
Use kernel protection tools like SELinux.
Consider utilizing AppArmor to restrict the operations of the programs running on the system.
Consider updating your Linux kernel to version 3.7 or later. This prevents unsigned kernel modules from loading on the system.
Build Linux systems on hardware that supports and uses UEFI on x86-64 systems. Set your UEFI settings to either thorough or full mode.
Install and scan your systems using either Rkhunter or Chrootkit.
Harden your sysctl.conf file using the guide linked below.

Sources and Helpful Information

Source

https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

MITRE Mapping(s)

Other Useful Information

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!

Chat With One of Our Experts

Threat Report Malware Threat Detection and Response Drovorub Linux System Blog