A dangerous Linux malware called Drovorub has been recently discovered to be an espionage tool used by Russian hackers in attack campaigns. Recent news about it reveals that the scope of the intrusions might be particularly high-impact. Details about it were released from the NSA and the FBI.
NSA and FBI Publish Details on the Drovorub Linux Malware: Reported to be Made by Russian Hackers
A joint public disclosure issued by the FBI and the NSA give out details on the previously unknown Drovorub Linux malware. The government agencies in their disclosure notes that the public sharing of information about it is done in order to enlighten the public about the ongoing threats to the United States and its allies. According to the available information the hackers are politically motivated Russian criminals.
The discovery of the virus was done by amassing the different intelligence sources and own analytical power of the agencies. The public disclosure lists also information taken from foreign partners and the IT industry. The USA government blames the n General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) for the development of the Linux malware. What is know about about this organization is that it uses a lot of complex methods and techniques in order to develop the highly sophisticated threats. The Drovorub Linux malware is described as a multi-component threat containing several dangerous modules in it.
Droorub Linux Malware Capabilities: An In-depth Look
The infection happens through a local agent execution. This means that the hackers will need to use distribution techniques that will install this initial loader to the target systems.
They can include various phishing strategies which are designed to confuse the victims into thinking that they are accessing legitimate contents. Popular carriers of such content are email messages and specially created hacker-controlled sites. They can be hosted on similar sounding domain names and utilize fake content and self-signed security certificates in order to manipulate the victims. Using these carriers the virus files can be delivered directly as downloads or inserted as links.
Alternative techniques are the use of direct hacking attacks which attempt to exploit any detected security vulnerabilities. It can also be installed by other malware such as Trojans and ransomware. By design it should be delivered as a form of a rootkit — an advanced virus which should silently install itself in core operating system modules. This both makes detection and removal very difficult.
Once deployed on a given Linux system the virus will start the local agent which will connect to a hacker-controlled server allowing the remote attackers to take over control of the machines and steal sensitive data. The Drovorub Linux malware has been shown to include the following functionality:
- System Process Hookups — The Drovorub malware can hook itself to running system and user-installed processes. This is used to take obtain administrative privileges and manipulate core system configuration files. This can result in severe performance issues and loss of data.
- Persistent Installation — The malware can set itself as a persistent threat on Linux systems. This means that the threat will launch at boot.
- Information Retrieval — Using the network communication computer criminals can extract sensitive information found on the system, as well as files.
- Security Evasion — The virus can detect if there are any installed security applications and services and evade their scans.
Due to its complexity it is believed that the attackers are using the virus for espionage purposes. System administrators are advised to install kernel modules which are only signed by a trusted and valid digital signature. Many criminals use them as carriers for the malware.