On August 15th the NSA and FBI published a joint security alert containing details about a previously undisclosed Russian malware.

The agencies say that the Linux strain malware has been developed and deployed in real-world attacks by Russian military hackers. The FBI says, “The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, whose activity is sometimes identified by the private sector as Fancy Bear, Strontium, or APT 28, is deploying malware called Drovorub, designed for Linux systems as part of its cyber espionage operations.”

What is Drovorub?

The name Drovorub comes from a variety of artifacts discovered in Drovorub files, Drovo translates to “firewood” or “wood”, while Rub translates to “to fell, or “to chop.” Together, they translate to “woodcutter” or “to split wood.”

Drovorub is like a Swiss-army knife for hacking Linux. The Linux malware toolset consists of an implant coupled with a kernel module root kit, a file transfer and port forwarding tool, and logic for connecting back to a Command and Control (C2) server. The below figure shows the Drovorub components and their functions.

Drovorub components

Drovorub components table

Drovorub malware is made up of four executable components: Drovorub-client, Drovorub-agent, Drovorub-kernel module and Drovorub-server. The components communicate via JSON over WebSockets. Below is a brief overview of each component.

Drovorub-Server

Installed on actor-controlled infrastructure, enables C2 for the Drovorub-client and Drovorub-agent. mySQL is used by the Drovorub-server to manage the connecting Drovorub-client(s) and Drovorub-agent(s). The database stores data that is used by the Drovorub-agent and client for registration, authentication and tasking.

Drovorub-client

The Drovorub-client is installed on target endpoints by the actor. The client receives commands from the remote Drovorub-server and offers file transfer to/from the victim, port forwarding, and a remote shell capability. The Drovorub-client is packaged within (Read more...)