Drovorub

By GoldSparrow in Malware

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released an extremely technical cybersecurity advisory that details the functions of a previously undisclosed Russian malware tool called Drovorub. This potent malware threat is part of the arsenal employed by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. The activities of this particular group of hackers have been documented and observed by cybersecurity experts for over a decade. In the course of that time, the group has managed to accumulate a sizable number of names, the most popular of which are Fancy Bear or APT28. Some of the other names include Strontium, Sednit, Pawn Storm, Tsar and Team Sofacy.

Being a Russian military hacker group makes it obvious that its attack campaigns have been carried out according to the Russian interests and agenda. Among the campaigns attributed to APT28 are 2016's DNC hack during the USA presidential elections that infected over 500,000 routers spread across 54 countries that were uncovered by Cisco's Talos group.

Microsoft warned that APT28 is compromising IoT (Internet of Things) devices and using them as a gateway to the networks they were connected to.

Drovorub Takes Full Control Over the Targeted System

As for this particular malware tool, its name, Drovorub, comes from strings that were left behind in the code. According to the advisory report, "Drovo" means "wood" in Russian, while "rub" can be roughly translated to "chop," resulting in "Woodcutter" as the English-translated name of this malware. An alternative could be "(Security) Driver Killer" derived from the Russian slang term for drivers, "Drova."

Drovorub consists of four components: an implant that can infect Linux-based systems, a kernel module that has complete rootkit capabilities, a tool for file transfer and port forwarding, and a Command and Control (C2) server under the control of the hackers. Once it has infiltrated the victim's computer, Drovorub gives the attackers full access. They can download additional files, exfiltrate sensitive data, and execute commands on the system thanks to the direct connection to the hacker-controlled C2 infrastructure established by Drovorub.

NSA and FBI Warn Organizations to Take Precautions

In the advisory, the agencies offer specific guidelines that private organizations can implement to reduce the risk of getting infected with Drovorub. At a minimum, servers should be using the Linux kernel version 3.7 or later due to the improved code-signing protections. Included are rules that will allow network administrators to connect to the Yara or Snort intrusion detection systems. By doing so, they can monitor network traffic and flag any of the obfuscated Drovorub files and processes that may be present on the server already.

Trending

Most Viewed

Loading...