The United States on Thursday published information on Drovorub, a previously undisclosed piece of malware that Russia-linked cyber-spies are using in attacks targeting Linux systems.
Drovorub, a joint advisory from the NSA and the FBI reveals, is being employed by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, which is better known as the cyber-espionage group APT 28 (Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team).
APT 28 is believed to have launched attacks on NATO countries and Ukraine, and to have orchestrated the attack on DNC ahead of the 2016 elections in the United States. Earlier this year, researchers discovered that the group was hijacking high-profile email accounts to launch phishing attacks.
A proprietary piece of malware, the U.S. government says, Drovorub consists of an implant and a kernel module rootkit (which are installed on target systems), along with a file transfer and port forwarding tool (installed on Internet-accessible hosts), and an accompanying command and control (C&C) server.
On the victim machine, the threat can communicate with the attacker’s C&C, can download and upload files, execute commands with root privileges, perform port forwarding, hide itself to evade detection, and ensure persistence through system reboots.
The NSA and the FBI, which provide full technical details on the Drovorub malware, say that systems running Linux kernel versions of 3.7 or lower are exposed, due to the lack of adequate kernel signing enforcement. Thus, ensuring that systems have the latest vendor-supplied software running on them should keep this threat away.
The advisory also reveals that Drovorub cannot achieve persistence on systems where the UEFI secure boot is enabled in “Full” or “Thorough” mode, thus ensuring that signed kernel modules are being loaded. Enabling secure boot, however, could affect system functionality.
In an accompanying FAQ for the advisory, the agencies note that they have no reason to believe that the malware is being employed by other threat actors as well, but that it expects adversaries to adopt similar tools and techniques in future operations.
“Drovorub represents a threat to National Security Systems, Department of Defense, and Defense Industrial Base customers that use Linux systems. Network defenders and system administrators can find detection strategies, mitigation techniques, and configuration recommendations in the advisory to reduce the risk of compromise,” the agencies warned.
Related: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers
Related: Russian Cyberspies Hacked High-Profile Email Accounts for Phishing
Related: Russia Angrily Denies German Allegations on 2015 Cyberattack

More from Ionut Arghire
- New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks
- Severe Glibc Privilege Escalation Vulnerability Impacts Major Linux Distributions
- Google, Yahoo Boosting Email Spam Protections
- US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
- Dozens of Malicious NPM Packages Steal User, System Data
- Motel One Discloses Ransomware Attack Impacting Customer Data
- Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities
- European Telecommunications Standards Institute Discloses Data Breach
Latest News
- Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day
- Atlassian Ships Urgent Patch for Exploited Confluence Zero-Day
- New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks
- Lyca Mobile Services Significantly Disrupted by Cyberattack
- Severe Glibc Privilege Escalation Vulnerability Impacts Major Linux Distributions
- Google, Yahoo Boosting Email Spam Protections
- Mozilla Warns of Fake Thunderbird Downloads Delivering Ransomware
- Qualcomm Patches 3 Zero-Days Reported by Google
