CATEGORIES
home News

FBI And NSA Warn Of Sophisticated Russian Drovorub Malware Targeting Linux Systems

by Brandon HillFriday, August 14, 2020, 11:08 AM EDT
linux gru drovorub
The U.S. Federal Bureau of Investigation (FBI) and National Security Administration (NSA) have joined forces to warn about a new threat of cyberattacks sourced from Russia. The two intelligence agencies have posted a complete technical analysis of what is be called Drovorub malware, which is targeting Linux-based systems.

According to the FBI/NSA white paper, Drovorub was developed by the Russian General Staff Main Intelligence Directorate, better known as GRU. GRU has been responsible for numerous cyber espionage campaigns against the United States and its allies, and had a hand in attempting to influence the 2016 U.S. Presidential Election. In the past, we've seen GRU operating under the following names: Strontium, ATP28 and Fancy Bear.

Dorovorub is a rather sophisticated piece of malware that seeks Linux kernel access, and get its name from "artifacts" that researchers discovered in its code. Broken down, "Drovo" translates to "firewood" in Engligh, while "Drub" means "to chop." Thus, Drovorub is essentially a "woodcutter". However, security researcher Dmitri Alperovitch has a different interpretation of the name:

The white paper goes on to describe Drovorub, writing: 

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor- controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as "root"; and port forwarding of network traffic to other hosts on the network.

Drovorub is capable of persisting even after a system reboot if a system has been infected, although this can be mitigated if UEFI secure boot is set to Full or Thorough modes.

The FBI and NSA are urging administrators to upgrade to Linux Kernel 3.7 (or later) to help mitigate Drovorub attacks to take advantage of kernel signing enforcement. It’s also suggested that administrators only allow modules with a valid digital signature to be loaded, which will present yet another roadblock for bad actors. 

You can read the full and incredibly detailed white paper right here [PDF]

Tags:  FBI, NSA, strontium, drovorub, atp28, fancy bear
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment