A joint security alert published by FBI and NSA has just been released with information on a new strain of Linux malware. The two agencies claim that the malware has been created and distributed by Russian military hackers and has been used in real-time attacks.
According to the information in the joint alert, the malware which is known under the name of Drovorub, was used by Russian hackers to plant backdoors into compromised networks.
Based on evidences that have been collected during their research, FBI and NSA officials claim that Drovorub is a work of APT28 (Fancy Bear, Sednit). This is a codename used to describe the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
The joint alert, published by the two organizations, aims at informing the the private and public sectors in the United States about the threat, so that IT specialists can quickly take the necessary malware detection and prevention measures.
Drovorub — a multi-purpose malware for Linux hacking
Drovorub is a malware that contains multiple malicious components. The threat is armed up with an implant, a kernel rootkit, a file-transferring tool, a port-forwarding module, and a command-and-control (C2) server.
Security experts describe Drovorub as a “Swiss-army knife” that malicious actors can use to execute different malicious processes, including theft of sensitive information and remote control of the infected computer.
Aside from its various malicious features, Drovorub uses also advanced “rootkit” technologies that help it to remain undetected for long. Its stealth allows the malicious actors to insert the malware in different targets without any symptoms, which allows for attacks at any given moment.
The joint alert does not specify the exact objectives of Drovorub, but its multi-functional nature allows for various attacks aimed at industrial espionage and even interference with election. The US alone is a very target-rich environment which could be exploited for potential attacks, security experts explain.
The technical information published by the NSA and FBI on the Drovorub toolset is of great importance for cyber security activists in the US. In order to prevent attacks of this malware, the two agencies recommend that US organizations update their Linux systems to a kernel version 3.7 or later, as this will allow them to take maximum advantage of kernel signing enforcement, a security feature that could prevent APT28 hackers from installing Drovorub.
The joint security alert provides also detailed guidance and advice on how to apply effective malware-detection measures. If you are a Linux user and this security alert concerns you, you can read the 45-page-long report here, and be quick to apply the recommended security measures.