Russia is targeting Linux with Drovorub malware

The NSA has issued a warning about a new round of cyberattacks by Russia. This time, the GRU (Główny Zarząd Wywiadowczy, the Russian General Staff Main Intelligence Directorate) is targeting Linux machines.

To orchestrate the attacks, the GRU is using a malware suite called Drovorub. The suite is made up of four modules and uses a variety of techniques to hide itself and evade detection.

See also:

• Using the HOSTS file to block Windows 10 telemetry? Microsoft now flags it as a severe security risk
• Emotet returns to top the malware charts after a five month break
• Microsoft launches Project Freta to detect malware in Linux kernels

The National Security Agency does not say how long the malware has been in circulation for, but points out that the Russian GRU 85th GTsSS responsible for deploying it has been seen operating under various names including Fancy Bear, APT28 and Strontium. Drovorub is concerning not only because of the steps it takes to hide itself, but also because of the root level privileges it is able to obtain.

The NSA describes the malware:

Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure (T1071.0011); file download and upload capabilities (T1041); execution of arbitrary commands as "root" (T1059.004); and port forwarding of network traffic to other hosts on the network (T1090). The kernel module rootkit uses a variety of means to hide itself and the implant on infected devices (T1014), and persists through reboot of an infected machine unless UEFI secure boot is enabled in "Full" or "Thorough" mode.

System administrators are advised to upgrade to Linux Kernel 3.7 or later in order to avoid being susceptible to attack, as well as taking precautions to ensure that only modules with valid digital signatures are loaded.

More details can be found in the NSA's advisory notice.

Image credit: GrAl / Shutterstock