Drovorub Toolset
Drovorub is a sophisticated modular malware platform created by the APT28 threat group, also known as Fancy Bear, for use in their own attacks against government, political, financial, and telecommunications organisations in Europe and the United States.
Summary
Drovorub is a sophisticated modular malware platform created by the APT28 threat group, also known as Fancy Bear, for use in their own attacks against government, political, financial, and telecommunications organisations in Europe and the United States.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
First observed in 2019, Drovorub is a multi-component malware toolset believed to have been created by the APT28 advanced persistent threat group for use in their own campaigns throughout Western Europe and North America.
Russian for 'woodcutter', it consists of a host module, a kernel rootkit, and a file transfer and port forwarding agent, as well as a separate command and control (C2) server.
Delivery
At the time of publication, it is unclear exactly how Drovorub is initially delivered, although there are unconfirmed reports indicating the host and rootkit component may be distributed via previously compromised websites.
APT28 are known to perform extensive target profiling and network reconnaissance before deploying their tools, and have used sophisticated social engineering attacks and zero-day exploits in previous campaigns.
Activities
Drovorub's host and rootkit components appear to install in sequence, with the rootkit first creating system hooks in order to hide all Drovorub-associated processes, files, sockets, and Netfilter components; with the host component only installing if the rootkit is successful. The host component then connects the Drovorub C2 server to download a list of additional items to hide before awaiting further commands.
By default, the host component is able to act as a remote shell, transfer files from the affected system, forward network traffic, and pass commands to the rootkit. Drovorub's port forwarding component appears to be based on the host component, with many of the same features, and appears to be installed on APT28-controlled infrastructure to act as a file and port relay for Drovorub campaigns.
Remediation advice
Several of Drovorub's rootkit component features are reliant on the lack of kernel signing enforcement, available in Linux 3.7 onwards. Affected organisations are encouraged to contact their relevant vendors and update any distributions to kernel version 3.7 or later. Organisations are also encouraged to configure systems so that they may only load modules with valid signatures.
Additionally, to prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Definitive source of threat updates
Last edited: 18 August 2020 3:45 pm