FBI and NSA Expose Drovorub Malware, APT28's Swiss-Army Knife For Hacking Linux

Drovorub - A swiss-army knife

• Drovorub is a multi-component malware suite that comes with an implant, a file transfer tool, a kernel module rootkit, a port-forwarding module, and a command-and-control (C2) server.
• Drovorub malware takes advantage of several functions available to Linux Kernels prior to version 3.7. To make it difficult for network-wide security solutions to catch it, Drovorub is also designed for stealth by utilizing advanced rootkit techniques to gain admin privileges.

The Russian roots

• Per the two agencies, the Linux malware strain was developed by Russian hackers, and deployed in real-world attacks to plant backdoors inside hacked networks.
• The malware has been attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, also codenamed as APT28 (Fancy Bear).

Recent APT28 attacks

• In late July, APT28 was reported to have carried out an attack campaign against US-based government and energy sector organizations, attempting to break into their email servers, Office 365 and email accounts, and VPN servers.
• In the end of March, security experts had found the Fancy Bear group scanning the internet to find vulnerable webmail and Microsoft Exchange Autodiscover servers on TCP ports 445 and 1433.

Detection and prevention