Last week, the FBI and NSA released a joint security alert containing details about Drovorub malware, a new utility in APT28’s hands. This is a Linux malware that is used to deploy backdoors in compromised networks. The malware is a multi-component system that consists of a kernel module rootkit, an implant, a C&C server, a port-forwarding module, and a file transfer tool.

Drovorub enables the APT28 group to perform various functions including stealing files and remote controlling the attacked system. The malware is highly stealthy, its authors armed it with advanced ‘rootkit’ technologies to complicate the detection. Drovorub malware is used in multi-stage campaigns and it requires that the APT group gain root privileges before successful installation.

System administrators are advised to upgrade to Linux Kernel 3.7 or later in order to avoid being susceptible to attack. Ariel Millahuel released new community rule that uncovers traces of Drovorub malware on Linux systems:


The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, Logpoint, Humio

EDR: Carbon Black, Elastic Endpoint



Tactics: Execution, Defense Evasion

Techniques: Command-Line Interface (T1059), Rootkit (T1014)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Blog, Latest Threats — 2 min read
Eugene Tkachenko