top of page
  • FC

What is APT28's Drovorub Malware?

The NSA and FBI have today released an advisory (pdf) about the previously undisclosed malware called Drovorub, that has been attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. The group also known as APT28 or FancyBear. It takes advantage of several functions available to Linux Kernels <3.7.

What the heck is it?

Well, Drovorub is actually four tools rolled into one rather than one specific thing. It's a malware suite that consists of four components: the kernel module rootkit, an implant, a file transfer and port fowarding tool as well as a C2 (Command and Control) server.


There functions can be show as:

General communication between components is done using JSON passed over websockets.

The Server This is generally installed on an environment controlled by the attacker. It uses a MySQL database to manage connecting agents and clients as well as handling authentication, tasking and registration of new agents and clients.

The Client Installed on the target by the attacker, this receives commands from the server and allows files to be transfered between them. Other capabilities include port forwarding and remote ROOT shells. The client is packaged with the kernel module to provide hiding capabilities to both.

The Kernel Module Controls the hiding of the client, it processes, files and network ports from the user-space.

The Agent Generally installed on the internet-facing hosts, it's similar to the client but with less capability and not packaged with the kernel module. It appears to be used to transfer files in and out of the network and forward network traffic.

Why is it called Drovorub? From the Russian word to split wood or cut down wood, its made up of Drovo ("wood") and Rub ("to fell"/"chop").

Should I be worried? Not unless you are running Kernel versions less than Linux Kernel 3.7. The kernels after this take advantage of kernal signing enforcement and prevent Drovorub taking hold. Another preventative method is to only allow trusted kernel modules to be loaded via a trusted certificate, this will require UEFI secure booting to be enabled. Read more about this here.

Can I detect it? A simple method that can be used to detect if the kernal module is installed is to create a test file and place in /dev/zero.

You can acheive this with these commands:


touch testfile
echo “ASDFZXCV:hf:testfile” > /dev/zero

If the testfile disappears (just run 'ls' afterwards) the kernal module is installed. Obviously the file remaining does not guarantee the system has not been infected and other methods should be used to check this. You may want to use the Snort and Yara rules that are available in the NSA/FBI advisory here (pdf) .

218 views

Related Posts

See All

3 Comments


Jeffrey Glenn
Jeffrey Glenn
Oct 19, 2023

I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....



Like

Agnes Lizzy
Agnes Lizzy
Oct 14, 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…

Like

Janet Lucy
Janet Lucy
Oct 12, 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…


Like
bottom of page