The NSA and the FBI released a joint statement about a previously undisclosed malware used by the Russian military intelligence unit – the GRU. The malware, named Drovorub, targets Linux and uses highly advanced persistence and detection avoidance techniques.
Drovorub consists of four components: client, kernel module, agent, and server. Drovorub client is the main implant that is installed on each endpoint after a successful penetration. It provides file upload/download capabilities and ability to run shell commands from a C&C server with root privileges. To provide persistence and to hide itself, the client registers itself with the kernel module.
LIFARS Managed Threat Hunting and Response Service (MTH&R) was designed to help customers uncover adversaries across your Endpoint, Network and SIEM data. Our elite team has decades of combined experience working within their Governmental CSIRT responding and hunting for adversaries from 100’s of attacks, including Ransomware and APT’s.
The kernel module provides persistence via various techniques, including capabilities provided directly by the Linux kernel. To hide the implant, the kernel module hooks kernel functions and filters any traces about the malware. This functionality can make the Drovorub almost completely invisible from user-space.
To hide Drovorub-related processes, the kernel module hooks find_pid_ns(), find_pid() and find_task_by_pid_type() functions. Drovorub also hides files and processes from the /proc virtual filesystem by hooking various filesystem-related functions. To hide its network operations, Drovorub hooks Netfilter, skb_recv_datagram() and filters out its TCP and UDP connections.
The main purpose of the agent component is to provide port forwarding. Neither it features any remote shell capabilities, nor it provides evasion via the kernel module. The Drovorub server acts as a C&C server for agents and clients.
To detect Drovorub-infected systems by forensic or incident response teams, acquisition of memory image and disk image is recommended. Its evasion techniques might hide malicious artifacts from live response forensic tools.
While techniques used by the Drovorub malware are very advanced, there are effective mitigations available. By enabling UEFI Secure Boot, you will make sure that only signed and trusted bootloaders, kernel, and kernel modules can be loaded. If your endpoints are not compatible with UEFI Secure Boot, you can enable kernel module signing enf.