Search

STEALTHY LINUX MALWARE – “DROVORUB”

Hello Everyone,
Back again this week with another latest news.
Recently we have lots of vulnerabilities and Malware these days, today a new malware from Russians.
NSA and FBI exposed a Russian APT28 Linux Malware named “DROVORUB” targeted towards Linux wanted to plant backdoors inside networks.

Russian Hackers used Drovorub as swiss army knife to retrieve files and to remotely control the victim’s computer and it carries out various actions accessible to Linux Kernels.

Drovorub malware comes as package contains four more with it, each carries various works; in short,
Drovorub-Client –> Implant
Drovorub-kernel Module –> RootKit
Drovorub-Agent –> Port Forwarding and File Transfer Tool
Drovorub-Server –> Command and Control (C2) Server

NSA Stated that APT Hackers made the Malware Fully Undetectable and Implemented with lots of evasion techniques to hide the job it is being carrying out such as in userspace, specific files and directories, processes and evidence of those processes within the /proc file system.
It also performs hiding processes like file hiding, socket hiding, netfilter hiding and hiding from raw socket.

How it Works?

The malware has some capabilities like port forwarding and remote ROOT shells.
Threat actors use controlled environment that can be managed by them. It needs a MySQL database to manage joining agents and clients.
In the Victim’s End Drovorub-Client and Kernel will run where in Attackers end Drovorub Server and Agent will run

Client(Victim) takes commands from the server(Attacker) once it gets installed in the server.

Mitigation Actions
NSA affirmed that the investigation is going on. But Until it gets fixed they have added recommendations for the users to implement to stop Drovorub.
1) Apply Linux Updates
2) System Managers should Regularly check for advanced version from vendors to take benefit and the most security detection methods.
3) Avoid Untrusted Kernel Modules
4) Configure systems to store only modules with a compelling digital signature, as it makes it more challenging for a threat actor to import an ill-disposed kernel module into the system.

So it is always advised to be safe and secure by knowing yourself first.
Stay safe and secure
Thank you, See you again in another Blog

AUTHOR: SAM NIVETHAN V J
SECURITY ANALYST & TRAINER

Book A Free Demo Class

    Social Media
    Facebook
    Twitter
    WhatsApp
    LinkedIn