Threat Awareness – Drovorub, New Linux Malware with a Russian Nexus

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have jointly released a comprehensive technical advisory on previously undisclosed Linux malware they are attributing to Russian advanced persistent threat (APT) actors. The malware, dubbed Drovorub, is being associated to APT28/Fancy Bear, a Russian group notoriously known for the 2016 Democratic National Committee attacks. According to the report, Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. The rootkit enables Drovorub to remain stealth and persistent. The publication provides more background on Drovorub, attribution of its use, guidance on how to detect Drovorub on infected systems, and mitigation recommendations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the joint advisory and employ its detection techniques and mitigations. In addition to reviewing the report, members are encouraged to review the MITRE ATT&CK® page on APT28 to understand more about the groups tactics, techniques, and procedures (TTPs). Read more about Drovorub at ZDNet and access the report at WaterISAC