Detection Content: Drovorub Malware

Last week, the FBI and NSA released a joint security alert containing details about Drovorub malware, a new utility in APT28’s hands. This is a Linux malware that is used to deploy backdoors in compromised networks. The malware is a multi-component system that consists of a kernel module rootkit, an implant, a C&C server, a port-forwarding module, and a file transfer tool.

Drovorub enables the APT28 group to perform various functions including stealing files and remote controlling the attacked system. The malware is highly stealthy, its authors armed it with advanced ‘rootkit’ technologies to complicate the detection. Drovorub malware is used in multi-stage campaigns and it requires that the APT group gain root privileges before successful installation.

System administrators are advised to upgrade to Linux Kernel 3.7 or later in order to avoid being susceptible to attack. Ariel Millahuel released new community rule that uncovers traces of Drovorub malware on Linux systems: https://tdm.socprime.com/tdm/info/RndBRUBsT9xr/mkH0AHQBPeJ4_8xcaxwx/?p=1

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Rootkit (T1014)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.