NSA, FBI Warn of Linux Malware Used in Espionage Attacks

Posted by AngelaWong, 16-08-2020

A never before seen malware has been used for espionage purposes via Linux systems, warn the NSA and FBI in a joint advisory.


The U.S. government is warning of new malware, dubbed Drovorub, that targets Linux systems. It also claims the malware was developed for a Russian military unit in order to carry out cyber-espionage operations.

The malware, Drovorub, comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers. The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. According to a Thursday advisory by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems.


“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted – and whether any attacks have been successful. Authorities didn’t say specify that the malware initially infects victims either. It did say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”

The Malware

Of note, the name “Drovorub” was pulled from a variety of artifacts discovered in Drovorub files, according to the report. The FBI and NSA say this is the name used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.”

Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.

linux malware

Once the client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.

Additionally, the client is packaged with a kernel module that provides rootkit-based stealth functionality to hide the client and kernel module, according to the advisory. The capability of a rootkit, which is a collection of malicious software designed to enable access to a computer, provides an extra layer of stealth for the malware to hide its implant on infected devices. It does so by hiding specific files, modules and network artifacts. The rootkit also has a persistence features that allows malware to remain on infected machines  when it is rebooted (unless UEFI secure boot is enabled in “Full” or “Thorough” mode).

Alleged Attribution

The U.S. government alleges the malware has been used in unspecified cyber-espionage operations that it has tied to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The report also cites what it believes are links between the malware and the Russian threat group Fancy Bear (also known as APT28, Strontium and Sofacy). This conclusion, the report states, came after linking operational Drovorub C2’s infrastructure with what it said was GTsSS operational cyber infrastructure.

Specifically, on Aug. 5, 2019, the Microsoft Security Response Center published information linking IP address 82[.]118.242[.]171 to APT28 infrastructure in connection with the exploitation of Internet of Things (IoT) devices in April 2019. The NSA and FBI said they confirmed that this same IP address was also used to access the Drovorub C2 IP address in April 2019. Threatpost has reached out to Microsoft for further comment.

Security researchers, for their part, said that the malware’s functions can allow attackers to launch cyber warfare campaigns to disrupt companies – all without geographic proximity to the victim.

“We can see that Fancy Bear has used their own Linux malware in the past, the most notorious case being the Linux version of their flagship backdoor XAgent, also known as Fysbis, four to five years ago,” Alexis Dorais-Joncas, Security Intelligence Team Lead for ESET, told Threatpost.

Allan Liska, threat intel analyst with Recorded Future, said on Twitter he is “curious as to how [pervasive] these attacks are.”

“The analysis of ‘Drovorub’ provides a reminder that Russian offensive cyber capabilities remain in the top tier of nation states,” Matt Walmsley, EMEA Director at Vectra, said via email. “It’s pleasing to see the NSA and FBI’s alert identify the Tactics, Techniques and Procedures (TTP) used by ‘Drovorub’ to map against the MITRE ATT&CK framework. That mapping provides practical help to security teams needing to quickly validate their technical controls and their ability to detect the various stages of attacker behaviors, such as Drovorub’s diverse use of stealthy command and control techniques.”

Mitigations against Drovorub do exist, according to U.S. authorities – implementing SecureBoot in “full” or “thorough” mode should reliably prevent malicious kernel modules, such as the Drovorub kernel module, from loading.

“This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection,” according to the FBI and NSA. “They should be used as quickly as possible before changes are made.”

More information source: 

Researchers with the Georgia Institute of Technology laid out the scenario in a Black Hat 2020 virtual session Wednesday. They warned, high-wattage IoT devices are vulnerable to takeover by threat actors who can hijack them in the same way that millions of CCTV cameras, DVRs and home routers are recruited into botnet armies to conduct distributed denial-of-service attacks and mine cryptocurrency.

“If an attacker can just slightly affect electricity market prices in their favor, it would be like knowing today what’s going to happen in tomorrow’s stock market,” said Tohid Shekari, a graduate research assistant in the School of Electrical and Computer Engineering at the Georgia Institute of Technology.

Shekari was joined by Raheem Beyah, professor, vice president for Interdisciplinary Research, at Georgia Institute of Technology, during the session. They explained that energy markets are split into either a day-ahead or real-time. Energy producers work with resellers who deliver electricity to end users. The ecosystem is ripe for manipulation by threat actors, they said.

“To meet the demand for electrical energy, utility companies must predict future demand and purchase power from the day-ahead wholesale energy market at competitive prices,” according to a Georgia Tech report on the research. “If the predictions turn out to be wrong, the utilities may have to pay more or less for the energy they need to meet the demands of their customers by participating in the real-time market.”

Those real-time markets are more volatile and subject to price fluctuation. “Creating erroneous demand data to manipulate forecasts could be profitable to the suppliers selling energy to meet the unexpected demand, or the retailers or utilities buying cheaper energy from the real-time market,” the report said.


More information source :https://threatpost.com/nsa-fbi-warn-of-linux-malware-used-in-espionage-attacks/158351/