FBI and NSA published joint warningfull of technical details, in which they talked about the Drovorub malware, targeting Linux systems and designed to create backdoors.
According to the researchers, this malware was created by Russian hackers from the APT28 group (aka Fancy Bear, Strontium, Pawn Storm, Sofacy, and so on), which researchers have long associated with the Russian special services, namely the 85th main center of the GRU special service.
FBI and NSA officials claim they managed to connect Drovorub to APT28 due to the fact that hackers reuse the same servers for different operations. For example, Drovorub connects to the command and control server, which was already used in 2019 for attacks targeting IoT devices. Then the IP address of this server was documented by Microsoft specialists.
Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port forwarding module, and a command server.
“Drovorub is a 'Swiss knife' that allows attackers to perform many different operations, including stealing files and remotely controlling the victim's computer. comment on McAfee specialists. "It was built to work stealthily and uses rootkits to make it difficult to detect."
To protect themselves from Drovorub, US law enforcement agencies recommend that organizations in the US upgrade their systems to Linux 3.7 or later so that forced verification of kernel and module signatures would interfere with Drovorub. The 45-page document also contains a tutorial on how to run Volatility, Snort and Yara rules, and other useful information for detecting potential compromises.
Interestingly, the name Drovorub was given not by researchers, but by the hackers themselves. The well-known information security specialist Dmitry Alperovich, who has been studying Russian hacker campaigns for a long time, recalls that "firewood" in Russian slang is drivers, and the name should be interpreted in this vein.
Re: malware name “Drovorub”, which as @NSACyber points out translates directly as “woodcutter”
However, more importantly, “Drova” is slang in Russian for “drivers”, as in kernel drivers. So the name likely was chosen to mean “(security) driver slayer" https://t.co/yToULwp3xw
– Dmitri Alperovitch (@DAlperovitch) August 13, 2020