Russia’s GRU Military Unit Behind Previously Unknown Linux Malware, NSA Says


The National Security Agency (NSA) and the Federal Bureau
of Investigation (FBI) have revealed the existence of a new piece of malware
named Drovorub, most likely developed by a military unit of the Russian General
Staff Main Intelligence Directorate (GRU.)

Suspected GRU involvement in developing tools used in
cyberattacks is nothing new. What makes the NSA and FBI’s advisory different is
the reveal of a new malware called Drovorub, designed to infect Linux systems
and help compromise the target computer.

Cyber activity from military unit 26165 attached to the
GTsSS used the cover of other groups, like APT28, or Fancy Bear. According to
the NSA and FBI, the unit developed this new Linux threat, although the federal
agencies didn’t say if it was an active threat or if they caught it before it
could do any damage.

“Drovorub is a Linux malware toolset consisting of
an implant coupled with a kernel module rootkit, a file transfer and port
forwarding tool, and a Command and Control (C2) server” says the advisory.
“When deployed on a victim machine, the Drovorub implant (client) provides
the capability for direct communications with actor controlled C2
infrastructure; file download and upload capabilities; execution of arbitrary
commands as “root”; and port forwarding of network traffic to other
hosts on the network.”

Identifying this malware is a difficult process, especially on a local level. According to the advisory, packet inspection at network boundaries is useful to detect Drovorub on networks, including probing, security products, live response, memory analysis and
media (disk image) analysis.

Detection of the malware on host machines is much more
difficult because it hides and is coupled with a dedicated kernel module.

The law enforcement agencies published several
mitigations and detection techniques, each with its strengths and weaknesses.
While no specific patches are available, at least not yet, system
administrators have to update the Linux kernel on their machines to at least
3.7.x, which features a more efficient kernel signing enforcement.

System owners have to make sure that the Linux kernels
only load modules with valid digital signatures, making it much more complicated
for an attacker to introduce a malicious kernel module.

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have revealed the existence of a new piece of malware named Drovorub, most likely developed by a military unit of the Russian General Staff Main Intelligence Directorate (GRU.)

Suspected GRU involvement in developing tools used in cyberattacks is nothing new. What makes the NSA and FBI’s advisory different is the reveal of a new malware called Drovorub, designed to infect Linux systems and help compromise the target computer.

Cyber activity from military unit 26165 attached to the GTsSS used the cover of other groups, like APT28, or Fancy Bear. According to the NSA and FBI, the unit developed this new Linux threat, although the federal agencies didn’t say if it was an active threat or if they caught it before it could do any damage.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server” says the advisory. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.”

Identifying this malware is a difficult process, especially on a local level. According to the advisory, packet inspection at network boundaries is useful to detect Drovorub on networks, including probing,
security products, live response, memory analysis and media (disk image) analysis.

Detection of the malware on host machines is much more difficult because it hides and is coupled with a dedicated kernel module.

The law enforcement agencies published several mitigations and detection techniques, each with its strengths and weaknesses. While no specific patches are available, at least not yet, system administrators have to update the Linux kernel on their machines to at least 3.7.x, which features a more efficient kernel signing enforcement.

System owners have to make sure that the Linux kernels only load modules with valid digital signatures, making it much more complicated for an attacker to introduce a malicious kernel module.