Cyber Security JISC Reuse

US government security agencies have issued a warning for a new malware that is exploiting Linux systems. Known as Drovorub, the malware has been disclosed by the FBI and NSA. According to the agencies, it was originally created for Russia’s military for cyber-espionage.

As such, Drovorub comes with several tricks to remain undetected. Thanks to espionage techniques, the malware can infiltrate a system and allow remote control of the victim PC and steal data. The NSA and FBI describe the malware as sophisticated and built to carry out stealth attacks.

This is possible because of a hard to trace rootkit. In its joint advisory on Thursday, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), said the malware is a threat to US national security.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to a 45-page analysis of the malware published Thursday [PDF]. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

Unclear Information

What’s interesting is in the extensive 45-page report, the agencies do not say how the malware finds its way onto a PC. Furthermore, there is no information on how long the virus has been in the wild, or whether attacks have been successful.

It seems Drovorub is a malware that carriers four components that allow it to access a system. Firstly, when it is installed on a machine (again, still unknown through what vector), the malware can communicate directly with a command-and-control (C2) remote attacker.

When contact is established, the bad actor has control over the machine. The NSA and FBI say Drovorub has been used already, likely by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

While the malware is troubling, the authorities claim there are mitigations available. Specifically, using SecureBoot in “full” or “thorough” mode can stop kernel modules like those used by Drovorub.

“This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection,” the agencies say.