Home / malware
First posted on 14 August 2020.
There are no other names known for Drovorub.
FBI and NSA officials claim the malware is the work of APT28 (Fancy Bear, Sednit), a codename given to the hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).
Drovorub - APT28's swiss-army knife for hacking Linux.
Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer. In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult. The element of stealth allows the operatives to implant the malware in many different types of targets, enabling an attack at any time.
To prevent attacks, it is recommended to update any Linux system to a version running kernel version 3.7 or later, in order to take full advantage of kernel signing enforcement, a security feature that would prevent APT28 hackers from installing Drovorub's rootkit.
Last update 14 August 2020