FBI and NSA warn in a joint security alert about a never before seen Linux malware Drovorub that threatens national security.
According to the report, the alleged Linux rootkit has a Soviet origin. The Russian military hacking group, known as APT28 — that other researchers call Fancy Bear, Strontium, Pawn Storm, Sofacy, Sednit, and Tsar Team should be used Drovorub malware to secretly infiltrate networks, access information or execute commands on the infrastructure.
Accordingly, the malware was used with a command-and-control server, which was used in 2019 for APT28 attacks against IoT devices. Microsoft has already documented the IP address in connection with APT28.
Through their joint alert, the two agencies hope to raise awareness in the US private and public sectors so IT administrators can quickly deploy detection rules and prevention measures.
Drovorub consists of a client and a kernel module — that are installed by the hacking group on the affected Linux systems. The kernel module serves as a rootkit that nests deep in the operating system to remain undetected and achieve persistence.
Once the malware installed, it is difficult to remove — runs with unrestricted root rights and allows the hacker group to take full control of the Linux system.
The stolen information or control commands can be exchanged between the client and the command and control servers of the hacking group via an agent.
The US authorities did not disclose which targets the hacker group is attacking or has attacked with the malware. It also remains unclear how long the malware has been in use and how it got onto Linux devices.