FBI and NSA warn in one joint report (PDF) before the previously unknown Linux malware Drovorub. With this, the hacker group known as APT28, Fancy Bear, Sofacy or Strontium should be used to secretly infiltrate networks, access information or execute commands on the infrastructure.
The hacker group is assigned to the Russian military intelligence service GRU and is held responsible, among other things, for the Bundestag hack in 2015, the attack on the German government in 2017 and on email accounts of the Democratic Party in the US election campaign. In addition, it is said to be behind the first UEFI rootkit that was spotted in the wild.
Drovorub consists of a client and a kernel module that are installed by the hacking group on the affected Linux systems. The kernel module serves as a rootkit that nests deep in the operating system in order to remain undetected and to achieve persistence. It is difficult to remove, runs with unrestricted root rights and allows the hacker group to take full control of the Linux system. The stolen information or control commands can be exchanged between the client and the command-and-control servers of the hacking group via an agent.
NSA and FBI assign Drovorub to the Russian hacker group APT28, as the group reused servers in various operations. Accordingly, the malware was used with a command-and-control server, which was used in 2019 for APT28 attacks against IoT devices. The IP address has already been documented by Microsoft in connection with APT28.
The US authorities did not disclose which targets the hacker group is attacking or has attacked with the malware. It also remains unclear how long the malware has been in use and how it gets to Linux devices. In the past, APT28 mainly relied on phishing attacks with which they could gain access data or infect computers. In their report, the NSA and FBI publish Yara and Snort rules that can be used to detect the malware.
The name Drovorub comes from the malware itself and translates as lumberjack, but the former CTO of the security company Crowdstrike, Dmitri Alperovitch, on twitter points out that in Russian, Drovo does not only mean wood, but also (kernel) drivers. So driver hacking might be the more correct translation.