Skip to main content

Fancy Bear is moving into Linux malware

(Image credit: Pixabay)

The NSA and FBI have released a new cybersecurity advisory warning that Russian government hackers known as Fancy Bear have begun deploying a previously undisclosed malware which targets Linux systems.

The hackers in question, also known as APT28 or Stronium, work for Russia's General Staff Main Intelligence Directorate's 85th Main Special Service Center (military unit 26165) and refer to their new malware strain as Drovorub. The malware is a rootkit designed to infect and take control of Linux systems in order to steal their files and Fancy Bear is using it against targets valuable to the Kremlin.

The NSA and FBI provided more details on Drovorub's capabilities in their cybersecurity advisory, saying:

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as "root"; and port forwarding of network traffic to other hosts on the network.”

Drovorub malware

Drovorub's kernel module is one of the most dangerous parts of this new malware strain as it is able to hook into a Linux system's kernel to intercept and filter system calls. This prevents users, admins and even automated antivirus software from observing the malware's activities as well as its files.

The NSA and FBI also pointed out in their advisory that detecting the malware's activity on a large scale is quite difficult because the malware “hides Drovorub artifacts from tools commonly used for live-response at scale”.

Being as Fancy Bear is a unit of the Russian military, the group often works on extremely high-value areas that the Kremlin has an interest in and it frequently targets entities in the defense, government, and aerospace industries. It is believed that the group is responsible for hacking the Democratic National Committee in 2016 as well as targeting the World Anti Doping Agency in 2019.

In order to better detect Drovorub's presence on their systems, the NSA and FBI recommend that organizations block untrusted kernel modules, keep their Linux installations up to date and use kernel version 3.7 or later. Unfortunately though, these measures will not prevent the malware from an infecting a Linux system but will only make it easier to detect.

Via The Register