Malware: Group Targeting Embassies Adds ‘Drovorub’ Campaign

Russian digital espionage group Fancy Bear incorporated a new malware threat into their attack campaigns, according to the National Security Agency (NSA) and the FBI.

In their joint advisory last year, the NSA and FBI explained the Linux-based malware — dubbed “Drovorub” by researchers — consists of three different components: a kernel module rootkit, a file transfer and port forwarding kit and a command-and-control (C&C) tool.

They found that these traits made it possible for Fancy Bear, also known as “APT28” and “Strontium,” to download and upload files, execute arbitrary commands as root and port forward network traffic on other hosts.

What is Fancy Bear?

Researchers at the NSA and FBI attributed Drovorub to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. Private-sector organizations assigned “APT28,” “Fancy Bear” and other identifiers to this group over the course of analyzing some of its other attack campaigns over the past few years.

Fancy Bear has been named as the group behind several other recent attack campaigns. In late August 2019, Fancy Bear launched a new attack campaign targeting embassies and foreign affairs ministries in Eastern Europe and Central Asia. ESET found that the operation began with a phishing email containing a malicious attachment. It then led the victim through a chain of downloaders, including one written in the Nim programming language, before dropping the Zebrocy backdoor.

A month later, Fancy Bear launched a series of digital attacks targeting anti-doping organizations and other sports entities. APT28 folded spear-phishing tactics, password spraying and exploits involving web-connected devices into their attacks.

Trend Micro published a report in March 2020 detailing the attack campaigns of Pawn Storm, another identifier employed by Fancy Bear. Among other findings, this report revealed the threat group had integrated credential phishing and scanning for servers into their most recent attacks.

Several months after that, Wired covered an attack campaign stretching from December 2018 until at least May of last year. In this operation, Fancy Bear targeted the mail servers, email accounts and VPNs of organizations based in the United States, including government institutions and education agencies.

Organizations in the private sector also attributed Drovorub to Fancy Bear. They did so by identifying linkages between the malware’s operational C&C infrastructure and the digital attack infrastructure employed by the threat group.

Malware Using Multiple Evasion Techniques

During their analysis, the FBI and NSA found that Drovorub’s kernel module employed several different techniques to hide its artifacts from users. For instance, the government entities found that the kernel module used process hiding by concealing its processes from both system calls and from the proc filesystem. They also found the malware hooked either the iterate_dir() or vfs_readdir() kernel functions, which enabled it to conceal files; hid network sockets by filtering out hidden sockets after hooking a kernel function; registered a Netfilter hook to filter packets in the kernel; and hooked the skb_recv_datagram() kernel function to hide from raw socket services.

How to Detect Drovorub 

Notwithstanding the malware threat’s evasion techniques, the FBI and NSA observed that organizations could use several tactics to detect Drovorub. Intrusion detection systems (IDSes) could spot C&C messages exchanged between the malware’s client or agent and its server, for example. Researchers found this method could be subject to evasion, however. Alternatively, organizations could use a script that communicates with the kernel module to probe for the malware, though the threat could evade this detection tactic, too.

Organizations can ultimately try to prevent a Drovorub infection by using their comprehensive vulnerability management program to apply updates to their Linux-based machines. They should also configure their systems to prevent untrusted Linux modules from loading.