The U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI) have released a new cybersecurity advisory about a new Linux malware developed and deployed in real-world attacks by Russia’s military hackers.
As per the advisory, the malware dubbed as ‘Drovorub’ is designed to target Linux systems, and is part of cyber espionage operations being carried out by Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28.
What Is Drovorub?
Drovorub is a Linux malware developed for use by the GTsSS. It’s a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer, and port forwarding tool, and a Command and Control (C2) server.
When deployed on a victim machine, Drovorub provides the capability for direct communications with actor-controlled command and control infrastructure; file download and upload capabilities; execution of arbitrary commands; port forwarding of network traffic to other hosts on the network; and implements hiding techniques to evade detection. It persists through reboot of an infected machine unless UEFI secure boot is enabled in “Full” or “Thorough” mode.
“The Drovorub malware suite is comprised of four separate executable components: Drovorub-agent, Drovorub-client, Drovorub-server and Drovorub-kernel module,” the advisory reveals.
“Communication between the components is conducted via JSON over WebSockets. The Drovorub-agent, Drovorub-client, and Drovorub-server require configuration files and an RSA public key (for the Drovorub-agent and Drovorub-client) or private key (for the Drovorub-server) for communication.”
A successful attack using Drovorub allows attackers to execute differen ..
Support the originator by clicking the read the rest link below.
