Security Experts:

The Drovorub Mystery: Malware NSA Warned About Can't Be Found

Drovorub

NSA and FBI Released Detailed Information on Drovorub Linux Malware, But Major Cybersecurity Firms Found No Samples

A piece of malware linked by U.S. intelligence agencies to hackers believed to be backed by the Russian government remains a mystery to the private sector, which apparently hasn’t found a single sample of the malware, and one researcher went as far as suggesting that it may be a false flag set up by the United States itself.

In August 2020, the NSA and the FBI released a joint cybersecurity advisory detailing a piece of malware they named Drovorub. According to the agencies, Drovorub was designed to target Linux systems as part of cyber espionage operations conducted by Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, which has been linked to attacks conducted by the threat actor tracked as APT 28, Fancy Bear, Sednit and Strontium.

The 45-page report released by the NSA and FBI describes Drovorub as a “Linux malware toolset” that consists of an implant with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C&C) server.

“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the agencies wrote in their advisory.

The advisory shares information on how Drovorub works, how it can be detected, and how organizations can protect their systems against attacks involving the malware.

In November, French industrial giant Schneider Electric issued an advisory to warn customers about the potential threat posed by Drovorub to some of its products, but the company told SecurityWeek at the time that it hadn’t been aware of any actual incident involving the malware — its alert was issued based on the information from the NSA advisory.

In fact, no one in the private sector appears to have seen Drovorub attacks, or samples of the malware. SecurityWeek has reached out to several major cybersecurity solutions providers and no one seems to have obtained actual samples — or at least they’re currently not willing to share any information — despite the fact that the NSA’s advisory contains Snort rules, Yara rules and other technical information that would make it easy to find the malware on infected systems.

Contacted companies include Bitdefender, Symantec, ESET, Trend Micro, CrowdStrike, Google’s Chronicle, Kaspersky, FireEye, Microsoft, and ReversingLabs.

“It’s a highly advanced sample, used in very targeted ways by a very sophisticated threat actor against a small number of selected targets. So by the very nature of it, you will only get such a sample if one of those victims discloses it, and if those victims are themselves highly sensitive – it is unlikely they would disclose that,” Robert McArdle, director of Trend Micro's Forward Looking Threat Research, said via email.

ESET said it had not seen Drovorub or any similar malware in the wild.

“Unlike mass-spreading malware, it looks like this malware is used in targeted intrusions against a small set of victims,” ESET researcher Anton Cherepanov told SecurityWeek. “In addition to that, usually Linux servers don't have any security software in place. That's why it's really hard to find samples of this malware in the wild.”

SecurityWeek has also reached out to the NSA and the FBI to see if the agencies had shared samples with the private sector or if they had plans to do so. The NSA did not respond and the FBI said it does not have any additional information to share beyond what was published in the advisory.

Drovorub is also mentioned in a recently published 400-page book, titled “Loaded for Guccifer2.0: Following A Trail of Digital Geopolitics,” written by David Jonathon Blake. In his book, Blake goes as far as suggesting that Drovorub is a false flag deployed by the United States to make it appear as if Russia was preparing an attack on critical infrastructure.

The author says he’s not a security expert, but claims that for the past several years — full time, for a large part of it — he has been researching what he believes to be false flag operations set up and conducted by the U.S. in an effort to blame Russia for various cyberattacks. The book, which suggests that even the 2016 attack on the Democratic National Committee was actually conducted by U.S. agencies, is a combination of technical research and speculation, and sounds very much like conspiracy theory.

In their report, the NSA and FBI shared little information on how they linked Drovorub to Russian intelligence. As an example related to attribution, they provide an IP address, 185.86.149.125, used by the malware for C&C, which was at some point allegedly accessed by an IP previously linked by Microsoft to Strontium.

Blake said 185.86.149.125 was associated with a physical server located in Latvia, but the IP address was also connected to a domain apparently registered by someone in a Russian city where the GRU is known to have a presence. However, the author claims that the same domain — for a very short while in 2018 — resolved to an IP address that always belonged to a major US tech company that provides services to the U.S. government.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.