In a joint report issued by the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) information regarding a new previously unreported malware called Drovorub has been released to the public. The malware has been attributed by the two agencies to APT28, a group with a variety of codenames but tracked as Fancy Bear, by this publication. The report contains a wealth of technical information for anyone needing to harden their Linux system to prevent falling victim to a Drovorub infection.
The malware itself has been described as a “Swiss Army knife” as it is a multi-component malware. The malware consists of an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server. This enables the malware to perform a variety of functions including, stealing data and controlling the infected system remotely. The malware achieves a high level of stealth and is very difficult to detect, which is granted to the malware via the use of an advanced rootkit. A rootkit is typically defined as pieces of malicious code that achieve root access to the infected system by gaining privileged access to the system. From there they can be used to perform a variety of tasks including keylogging, file theft, disable antivirus products, and a host of other operations favored by state-sponsored groups. In the case of Drovorub the rootkit allows the malware to loaded upon boot up which further adds persistence in the infected network as, unlike many other malware families, the malware will survive a system restart. Further, the use of such an advanced rootkit allows Fancy Bear to infect a wide variety of targets as well as conducting attacks at any time.
While the report issued by the two agencies does not mention specific targets, however, it can be safely assumed that organizations in North America will be targeted as they present a wealth of opportunities to hackers of all kinds, be they state-sponsored or financially motivated. It is feared that due to the malware's stealthy and utilitarian nature it can be used in cyber espionage and election interference.
The report, which is 45 pages long does detail several important details, with a summary of the more interesting parts being reproduced here. The malware is not named by either the FBI or the NSA and is the name used by Fancy Bear and can be roughly translated as to chop firewood. Attributing the malware to Fancy Bear was made possible by the hackers reusing servers over several campaigns including one operation seen distributing Drovorub.
Drovorub used to Target IoT Devices
Fancy Bear has a habit of targeting Internet of Things (IoT) devices, in early 2019 Microsoft revealed a campaign capable of infecting IoT devices. In the same year, Microsoft again uncovered another campaign targeting IoT devices. Details of the later campaign were revealed in August, but according to researchers, Fancy Bear activity could be traced back to April with the group attempting to compromise multiple IoT devices. The devices included a VOIP phone, an office printer, and a video decoder. At the time the Redmond IT giant stated,
“The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting,”
According to both the FBI and NSA in at least one of those instances, it appears that Drovorub was deployed. The link between the campaign and the malware was made following the discovery that the same IP address was used that was previously documented by Microsoft. The agencies confirmed Microsoft’s findings, noting that,
“In addition to NSA's and FBI's attribution to GTsSS, operational Drovorub command and control infrastructure has been associated with publicly known GTsSS operational cyber infrastructure. For one example, on August 5, 2019, Microsoft Security Response Center published information linking IP address 18.104.22.168 to Strontium infrastructure in connection with the exploitation of Internet of Things (IoT) devices in April 2019. (Microsoft Security Response Center, 2019) (Microsoft, 2019) NSA and FBI have confirmed that this same IP address was also used to access the Drovorub C2 IP address 22.214.171.124 in April 2019.”
The report published by the two US agencies goes into great detail regarding the technical details of the malware. This includes guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules for admins to develop proper detection methods and protect networks. Also, the security firm McAfee published a blog article with further security measures and recommendations for scanning for rootkits and hardening Linux kernel’s susceptible to infection. For all those charged with defending networks targeted by state-sponsored groups, these reports should be regarded as required reading. As to preventative measures the agencies mentioned above advise admins should update the Linux Kernel to version 3.7 or later. This is to take advantage of the OS feature that implements Kernel signing enforcement. Further, admins should configure systems in such a way that the system only loads modules with a valid digital signature.
Why Linux and IoT devices?
For many, the question is why create malware targeting Linux in the first place? The reasons are many but one of the major ones is that as Linux is open source and more and more manufacturers and large companies adopt hardware running Linux the need for hackers to develop Linux malware grows. It is true that the vast majority of malware targets Microsoft users, as the OS has a much larger user base and vulnerabilities discovered in Microsoft products potentially allow for more effective malware, but there has been a marked increase in the use of Linux. This increase in turn has led to malware developers turning their gaze to Linux in ever-increasing numbers.
The second part of the question is why target IoT devices? Again the reasons are numerous but Linux has become the OS of choice for IoT devices. As these devices are produced in ever-increasing numbers so does the number of devices running some version of Linux or another. For developers the open-source nature of Linux is attractive, it saves costs and allows for complete OS transparency, meaning developers have access to the entire OS and can develop better software products to run on it. This in turn has attracted hackers who can now find and exploit flaws that would be previously overlooked at the best of times.
For Fancy Bear these reasons make for targets that can no longer be ignored. This is combined with the knowledge that many of the world’s largest organizations and government agencies deploy Linux in one version or another, be it via IoT devices or through servers. The Equifax breach is an excellent example of this, while not necessarily conducted by a state-sponsored group, access to the network was done via a vulnerability in Apache Struts a popular web development framework for Linux typically found on servers. Security researcher Ian Folua, discovered that half of the Fortune 100 companies used Apache Struts in one form or another.
For cyber espionage and other activities associated with Fancy Bear, ignoring such targets would be silly. It can also safely be assumed that many governments and their organizations around the world would also use Apache Struts or Linux kernels within their infrastructure. This problem is further amplified by large networks employing a wide variety of software packages, which in turn makes it difficult to realize the full network and patch what needs to be patched. To counter this Ian Folua advises that admins begin to figure out the extent of open source packages and tools used on the network and then track those for updates. The average developer can use five new open-source tools a month so tracking these can prove vital to organizational security.