Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165 is the center of a new FBI cybersecurity advisory. GTsSS is deploying a previously undisclosed malware for Linux systems called Drovorub. GTsSS also goes by the name of Fancy Bear, APT28, and other various names. Attribution comes from overlaps in publicly known Fancy Bear infrastructure and Drovorub. The name of the malware itself means woodcutter or to split wood. The FBI describes it at a Linux malware toolset comprised of an implant with a kernel module rootkit. File transfer and port forwarding tool, and a Command and Control server. The Drovorub implant provides direct communication to the victim’s network when a machine has been infected, along with file upload and download, execution of arbitrary commands as root, and port forwarding of network traffic to other hosts.
The Drovorub kernel module poses a challenge in large scale detection on the host because it hides artefacts from tools commonly used. Packet inspection can be used at network boundaries to detect Drovorub, for host-based detection probing can be used as well as security products, live response, memory analysis, and media analysis.
Prevention guidelines provided from protecting a machine against Drovorub persistence and evasion, include updating Linux Kernel to 3.7 or higher and configure systems to only load modules with valid digital signatures to make it difficult to load a malicious kernel module into the system. Read the full in depth release from the FBI using the link below as well IOC’s and in depth analysis of the malware.
Sources: