Drovorub malware: What it is, how it works and how to prevent it | Malware spotlight
Introduction
Malware is a threat that has increased exponentially in the last few years, with many sophisticated threads impacting citizens, devices, organizations, nation-states and so on. One of the recent threats reported by the FBI and NSA is a new Linux malware developed by Russia’s military hackers, called Drovorub.
According to the FBI and NSA analysis, the malware seems to be associated with the APT28 (Fancy Bear, Sednit), a nickname given to the hackers operating out of the military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). This malware has been used to implant backdoors inside compromised networks for persistence, exfiltration and later access.
Become a certified reverse engineer!
Drovorub: How it works
Drovorub is a Linux malware kit that takes advantage of the Linux kernel to infect victims. It is equipped with a kernel module rootkit, a file transfer, a port forwarding module and a C2 server that allows total control over the infected device and network.
When this piece of malware is installed on the target, it provides the capability for direct communications to the C2 server controlled by crooks, downloading and uploading target files between C2 and infected devices, port forwarding network traffic to arbitrary hosts and executing commands with root privileges.
Figure 1: Drovorub high-level diagram with the malware components.
The communication between Drovorub modules is performed using JSON via WebSockets, as seen in Figure 1. The Drovorub-agent, Drovorub-client and Drovorub-server require configuration files and an RSA public key (for the Drovorub-agent and Drovorub-client) or private key (for the Drovorub-server) for communication.
Below are brief descriptions of the Drovorub modules.
Drovorub-server
The server is installed and running on the C2 server and is responsible to receive and send messages to the agents installed on the victim’s devices. The Drovorub-server uses a MySQL database to manage the clients (Drovorub-clients and agents). The database stores data used for Drovorub-agent and Drovorub-client registration, authentication and tasking.
Figure 2: Example of the Drovorub-server configuration file.
Drovorub-client
The Drovorub-client component is installed on target devices. This component is capable of uploading and downloading files from C2, port forwarding on the internal network and execute privilege commands due to the rootkit module that provides stealth features to hide the client and the kernel module exploitation hooks.
Figure 3: Drovorub-agent configuration file after registration with a Drovorub-server.
Drovorub-kernel module
The Drovorub-kernel module implements the base functionality for hiding itself and various artifacts from user-space, including specified files and directories, network ports, sessions and so on.
When the kernel module is installed and executed, the following activities are performed, namely:
- The Drovorub-kernel module installs all the necessary system call hooks and registers the kernel module by sending a message to the C2 server
- The Drovorub-kernel module hides the Drovorub-client's running processes and the Drovorub client's executable on disk
To perform communications with C2, Drovorub uses JSON as the message format for its WebSocket payloads. All the communications have the same structure:
Figure 4: Basic Drovorub JSON payload structure.
Figure 5 below shows the initial WebSocket connection that both Drovorub-client and Drovorub-agent use to connect and authenticate to the Drovorub-server.
Figure 5: Initial WebSocket connection and Drovorub authentication session.
Drovorub-agent
The Drovorub-agent is installed on internet-accessible hosts inside the compromised infrastructure. This agent executable receives commands from its configured Drovorub-server and includes much of the same functionality as the Drovorub-client, except for the remote shell capability.
The Drovorub-agent is not equipped with the kernel module rootkit. The Drovorub-agent is only used to upload and download files from Drovorub-client endpoints and to forward network traffic through port relays.
Drovorub-client and agent share some features, such as file download and upload:
Figure 6: File download and upload sequence.
The following diagram illustrates one potential scenario where port tunneling configuration could be used between a Drovorub-agent and a Drovorub-client to relay network traffic to a remote host within the compromised network where the Drovorub-client-infected machine resides.
Figure 7: Example “tunnel” setup.
Through the usage of this panoply of techniques, Drovorub is seen as one of the most emergent threats attacking Linux devices this year. Some prevention measures and mitigations are presented below as a way to respond quickly to incidents this line.
Become a certified reverse engineer!
Prevention measures and mitigations
To prevent attacks in-the-wild, organizations should update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.
On the other hand, the usage of detection systems such as Network Intrusion Detection Systems (NIDS) like Suricata, Snort, Zeek and host-based agents should be seen as a mandatory measure to block malicious attempts and trigger a notification when abnormal activity is detected. Also, the use of security products in Linux environments is recommended, including antivirus, endpoint detection agents and response. For host-based detection, the NSA provides the following solutions:
- Probing the presence of the Drovorub kernel module via scripting
- Use security products that can detect malware artifacts and the rootkit functionality (Linux Kernel Auditing System)
- Implement live response techniques — searching for specific filenames, paths, hashes and with Yara rules
- Perform memory analysis: The most effective method to find the rootkit
- Make disk image analysis: Malware artifacts are persistent on disk but hidden from regular system binaries and calls by the rootkit
Also, system administrators are advised to perform hardening in its systems to load only modules with a valid digital signature making systems more resilient to malicious kernel attacks via rootkit.
Sources
NSA and FBI Expose Russian Previously Undisclosed Malware “Drovorub” in Cybersecurity Advisory, NSA
Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware, NSA
Drovorub “Taking systems to the wood chipper” – What you need to know, The State of Security
FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers, ZDNet
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Drovorub malware: What it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis