FBI and NSA reveal a malware targeting Linux and IoT devices
Federal Bureau of Investigation (FBI) and National Security Agency (NSA) have issued a joint report that reveals a previously unreported malware – “Drovorub.” The two agencies attributed the malware to APT28, a group which is tracked as Fancy Bear by the publication. The reports contain information regarding how to prevent falling victim to Drovorub infection.
The Drovorub malware is a multi-component malware. It consists of an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module and a command-and-control (C2) server. The malware can perform varieties of functions including stealing data and controlling the device from remotely. Due to advanced rootkit used, the malware achieves a high level of stealth and is very difficult to detect.
A rootkit allows threats to achieve root access to the device by gaining privileges access to it and perform a variety of tasks including keylogging, file theft, disable antivirus products and a host of other operations from state-sponsored groups. In case of Drovorub infection, the rootkit allows this malware to be loaded upon boot up that further adds persistence in the infected network as the malware survives a system restart. Further, the advanced rootkit allows the Fancy Bear to infect a wide range of targets as well as conduct attacks at any time.
It can be assumed that the malware targets organizations in North America as they present a wealth of opportunities to hackers of all kinds. However, the agencies’ report does not mention any specific targets. The report is of total 45 pages provides several important details. The name of the malware is not given by either two agencies. This name is used by Fancy Bear and can be roughly translated as to chop firewood. Attribution of the malware to fancy bear is possible for the hackers by reusing servers over several campaigns including one operation seen distributing drovorub.
Fancy bear targets IoT or Internet of Things devices in general. In early 2019, Microsoft revealed a campaign that infected iOT devices. In the same year, another campaign was uncovered targeting the IOt devices. The latter campaign was revealed in month of August. However, researchers said, Fancy Bear Activity could be tracked back to April when the group attempted to compromise multiple iOT devices. At that time, Redmond IT giant stated:
“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.”
According to the submit reports by the two agencies, Drovorub was deployed. The link between the campaign and the malware was made following the discovery that the same IP address was used that was previously documented by Microsoft. The agencies noticed that:
“In addition to NSA’s and FBI’s attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure. For one example, on August 5, 2019, Microsoft Security Response Center published information linking IP address 82.118.242.171 to Strontium infrastructure in connection with the exploitation of Internet of Things (IoT) devices in April 2019. (Microsoft Security Response Center, 2019) (Microsoft, 2019) NSA and FBI have confirmed that this same IP address was also used to access the Drovorub C2 IP address 185.86.149.125 in April 2019.”
The published reports provide further detailed technical details regarding the malware that includes guidance for running volatility, probing for file hiding behavior, snort rules and Yara rules for admins to developer proper detection methods and protect networks.
Also, the security firm McAfee published a blog article for security measures and recommendations for scanning for rootkits and hardening Linux’s kernal’s susceptible to infection. For the preventative measures, admins are advised to update the Linux Kernel to version 3.7 or later. Further, admins should configure systems in such a way that the system only loads modules with a valid digital signature.
Drovorub targets Linux devices for multiple reasons. The major one is that the Linux is an open source and more and more manufactures and large companies adopt hardware running linux. The malware is targeting iOT devices because the Linux has become the OS of choice for IoT devices. For developers, the open source nature of Linux is attractive. It saves costs and allows for complete OS transparency. This means, the developers have access to the entire Os and can develop better software products. This in turns attract the hackers who can now find and exploit flaws that would be previously overlooked.