FBI And NSA Warn Of Sophisticated Russian Drovorub Malware Targeting Linux Systems
According to the FBI/NSA white paper, Drovorub was developed by the Russian General Staff Main Intelligence Directorate, better known as GRU. GRU has been responsible for numerous cyber espionage campaigns against the United States and its allies, and had a hand in attempting to influence the 2016 U.S. Presidential Election. In the past, we've seen GRU operating under the following names: Strontium, ATP28 and Fancy Bear.
Dorovorub is a rather sophisticated piece of malware that seeks Linux kernel access, and get its name from "artifacts" that researchers discovered in its code. Broken down, "Drovo" translates to "firewood" in Engligh, while "Drub" means "to chop." Thus, Drovorub is essentially a "woodcutter". However, security researcher Dmitri Alperovitch has a different interpretation of the name:
Re: malware name “Drovorub”, which as @NSACyber points out translates directly as “woodcutter”— Dmitri Alperovitch (@DAlperovitch) August 13, 2020
However, more importantly, “Drova” is slang in Russian for “drivers”, as in kernel drivers. So the name likely was chosen to mean “(security) driver slayer" https://t.co/yToULwp3xw
The white paper goes on to describe Drovorub, writing:
Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor- controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as "root"; and port forwarding of network traffic to other hosts on the network.
Drovorub is capable of persisting even after a system reboot if a system has been infected, although this can be mitigated if UEFI secure boot is set to Full or Thorough modes.
The FBI and NSA are urging administrators to upgrade to Linux Kernel 3.7 (or later) to help mitigate Drovorub attacks to take advantage of kernel signing enforcement. It’s also suggested that administrators only allow modules with a valid digital signature to be loaded, which will present yet another roadblock for bad actors.
You can read the full and incredibly detailed white paper right here [PDF]