Threat Signal Report

NSA/FBI Joint Advisory on Previously Undiscovered Malware - "Drovorub"

Description

Today, The United States National Security Agency (NSA) and Federal Bureau of Investigation (FBI) released a joint report on threat actors using Linux-based malware to maintain a presence on the targeted victim's network. The report highlights previously undiscovered malware named "Drovorub." This report provides detailed insight into Drovorub and APT28/Fancy Bear GRU 85th GTsSS campaigns which have been attributed to the government of Russia. This announcement should not be confused with the July 16th advisory on APT 29 from CISA/NCSC that also involved targeting organizations researching COVID-19. APT 29 aka "Cozy Bear/Duke" is also attributed to Russia.


What is Drovorub?

According to the joint report, Drovorub consists of four components that includes an agent (port forwarding and file upload/download), client (implant), server (command and control server) and kernel module (rootkit). Once deployed on a victim machine, Drovorub allows for the attacker to have full control of the victim machine by allowing the upload and download of files, remote command execution as root, communication between attacker controlled command and control servers and the port forwarding of network traffic. Drovorub can be controlled either by attack controlled infrastructure or via publicly internet accessible hosts. The report connects Drovorub malware to being developed for use by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GTsSS is also attributed to Russia by threat research nomenclature as Fancy Bear, APT28, Strontium, Sofacy and other designations.


Why is APT28 Significant?

APT28 main targets are ones that appear to be of interest to the government of Russia. Previous attacks by APT 28 were not just limited to various government entities, but ranged from Russian citizens who were critical of the government to the anti-Putin rock band Pussy Riot. APT 28 was responsible for the World Anti-Doping Agency (WADA) attacks and the Rio Olympics (2016). In similar fashion to APT29 (discussed below), APT28 was also responsible for the DNC attacks in 2016 as well.

Although APT28 is attributed to the government of Russia, it is not to be confused with APT29/Cozy Bear/Duke, which is another group attributed to Russia. APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have been various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and various United States think tanks and NGOs in 2017. Both groups rely on spearphishing attacks.


What operating systems are affected?

Linux-based operating systems.


What is the severity of impact?

The severity should be regarded as medium. This is due to the advisory reporting limited, targeted attacks across specific verticals.


What is the mitigation provided in the advisory?

According to the advisory, it is suggested to implement SecureBoot in "full" or "thorough" mode, which should reliably prevent malicious kernel modules from loading. This will prevent Drovorub from being able to hide itself on a system. Other detection and mitigation options (Snort and YARA rules) were provided in the advisory. Please see the Appendix section "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware" for further details.


What is the status of AV and IPS coverage?

FortiGuard Labs has IPS coverage in place for this event as:

Malware.Drovorub (15.907)


All network IOC's are blocked by the WebFiltering client.

185.86.149[.]125

82.118.242[.]171


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.