Threat Signal Report

NSA/FBI Joint Advisory on Previously Undiscovered Malware - "Drovorub"

Description

Today, The United States National Security Agency (NSA) and Federal Bureau of Investigation (FBI) released a joint report on threat actors using Linux-based malware to maintain a presence on the targeted victim's network. The report highlights previously undiscovered malware named "Drovorub." This report provides detailed insight into Drovorub and APT28/Fancy Bear GRU 85th GTsSS campaigns which have been attributed to the government of Russia. This announcement should not be confused with the July 16th advisory on APT 29 from CISA/NCSC that also involved targeting organizations researching COVID-19. APT 29 aka "Cozy Bear/Duke" is also attributed to Russia.

What is Drovorub?

According to the joint report, Drovorub consists of four components that includes an agent (port forwarding and file upload/download), client (implant), server (command and control server) and kernel module (rootkit). Once deployed on a victim machine, Drovorub allows for the attacker to have full control of the victim machine by allowing the upload and download of files, remote command execution as root, communication between attacker controlled command and control servers and the port forwarding of network traffic. Drovorub can be controlled either by attack controlled infrastructure or via publicly internet accessible hosts. The report connects Drovorub malware to being developed for use by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. GTsSS is also attributed to Russia by threat research nomenclature as Fancy Bear, APT28, Strontium, Sofacy and other designations.

Why is APT28 Significant?

APT28 main targets are ones that appear to be of interest to the government of Russia. Previous attacks by APT 28 were not just limited to various government entities, but ranged from Russian citizens who were critical of the government to the anti-Putin rock band Pussy Riot. APT 28 was responsible for the World Anti-Doping Agency (WADA) attacks and the Rio Olympics (2016). In similar fashion to APT29 (discussed below), APT28 was also responsible for the DNC attacks in 2016 as well.

Although APT28 is attributed to the government of Russia, it is not to be confused with APT29/Cozy Bear/Duke, which is another group attributed to Russia. APT29/Cozy Bear/Duke has been in operation since 2008. Previous attacks attributed to this threat actor have been various companies, governmental agencies, research institutions, non-governmental organizations, and think tanks across multiple countries. Other high profile attacks attributed to this group are the attacks on the United States Pentagon in 2015, the Democratic National Committee (DNC) email leaks in 2016, and various United States think tanks and NGOs in 2017. Both groups rely on spearphishing attacks.

What operating systems are affected?

Linux-based operating systems.

What is the severity of impact?

The severity should be regarded as medium. This is due to the advisory reporting limited, targeted attacks across specific verticals.

What is the mitigation provided in the advisory?

According to the advisory, it is suggested to implement SecureBoot in "full" or "thorough" mode, which should reliably prevent malicious kernel modules from loading. This will prevent Drovorub from being able to hide itself on a system. Other detection and mitigation options (Snort and YARA rules) were provided in the advisory. Please see the Appendix section "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware" for further details.

What is the status of AV and IPS coverage?

FortiGuard Labs has IPS coverage in place for this event as:

Malware.Drovorub (15.907)

All network IOC's are blocked by the WebFiltering client.

185.86.149[.]125

82.118.242[.]171

Appendix

Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware

DROVORUB Malware Fact Sheet and FAQs

Definitions