A never before seen malware has been used for espionage purposes via Linux systems, warn the NSA and FBI in a joint advisory.
UPDATE
The U.S. government is warning of new malware, dubbed Drovorub, that targets Linux systems. It also claims the malware was developed for a Russian military unit in order to carry out cyber-espionage operations.
The malware, Drovorub, comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers. The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. According to a Thursday advisory by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems.
“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”
Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted – and whether any attacks have been successful. Authorities didn’t say specify that the malware initially infects victims either. It did say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”
The Malware
Of note, the name “Drovorub” was pulled from a variety of artifacts discovered in Drovorub files, according to the report. The FBI and NSA say this is the name used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.”
Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.
Once the client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.
Additionally, the client is packaged with a kernel module that provides rootkit-based stealth functionality to hide the client and kernel module, according to the advisory. The capability of a rootkit, which is a collection of malicious software designed to enable access to a computer, provides an extra layer of stealth for the malware to hide its implant on infected devices. It does so by hiding specific files, modules and network artifacts. The rootkit also has a persistence features that allows malware to remain on infected machines when it is rebooted (unless UEFI secure boot is enabled in “Full” or “Thorough” mode).
#hacks #malware #c2 #drovorub #fbi #hack #linux #linux malware #malware #nsa #rootkit
