New information-stealing Linux malware “Drovorub” believed to developed by the Russian military may infect your Linux Server/PC/laptop
There is a new Linux malware in town and it is called Drovorub. The Drovorub malware is believed to have been developed by the Russian military-hacker apparatus to steal information from American and European companies. The U.S. intelligence has already taken cognizance of the malware. The FBI and NSA issued a joint security alert warning companies and individuals to be wary of the new strain of Linux malware.
The NSA and FBI stated that Drovorub has been developed by the hacking group named APT28 (Fancy Bear, Sednit). APT28 is the codename given by U.S. intelligence to the Russian-military sponsored hacking group affiliated to the Unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
The U.S. agencies say that the primary task of Drovorub is espionage but the malware may be used for profiteering, stealing confidential information, and extortion. The NSA and FBI have been explicit in their report that servers and computers running on the Linux kernel version of 3.7 or lower are most susceptible to Drovorub malware due to the absence of adequate kernel signing enforcement.
What is Drovorub Linux Malware?
The Drovorub Linux malware is a complex multi kit malware. It consists of an implant, a file transfer tool, a kernel module rootkit, a command and control server, and a port forwarding module. McAfee security researchers say that Drovorub is a ‘swiss-army-knife’ of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim’s computer,
The infection starts with the Drovorum malware runs a rootkit scanner to find low-level processes that can be exploited to implant malicious code at bootup. McAfee researchers say that Drovorub seems to scan memory with tools like Volatility. Using the Volatility plugin “Linux_Psxview” presence of the Drovorub client can be detected even though it doesn’t show up in the normal PSlist.
The NSA and FBI have warned that Drovorub Linux malware is highly stealthy and can manage to stay undetected in machines owing to advanced rootkit technologies deployed by hackers. They also say that Drovorub Linux malware that communicates with each other using JSON over WebSockets and the traffic is encrypted from the server module using the RSA algorithm.
The joint alert suggests that organizations should enable UEFI Secure Boot in “full” or “thorough” mode on x86-64 systems. UEFI Secure Boot requires cryptographically signed firmware and kernels. Because no unsigned drivers can be loaded for hardware, this action will decrease the attack surface for Drovorub malware. The sysadmins should also enable loading only known modules.