Cmd Advisory: “Drovorub” Linux Malware Strain

By: Jake King

In a joint advisory released Thursday, the National Security Agency and the Federal Bureau of Investigation detailed a previously undisclosed Linux malware strain named “Drovorub” that the two agencies attribute to the Russian General Staff Main Intelligence Directive (GRU) 85th Main Special Service Center (GTsSS) military unit 26165, more commonly known as APT28, Fancy Bear, Sofacy, STRONTIUM, or Sednit.

The advisory details the inter-operation, communication mechanisms, detection techniques and mitigation strategies for the four major components of the Linux malware toolchain which consists of a userland implant binary (Drovorub-client), kernel module based-rootkit (Drovorub-kernel), file transfer and port forwarding tool (Drovorub-agent) and corresponding Command and Control (C2) server (Drovorub-server).

Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware, National Security Agency & Federal Bureau of Investigation Cybersecurity Advisory
Drovorub Components, Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware, National Security Agency & Federal Bureau of Investigation Cybersecurity Advisory

How does Drovorub operate?

After an initial foothold into a Linux system is achieved, malware such as the Drovorub strain is able to maintain persistence by deploying a loadable kernel module (LKM) which has the ability to hook and modify underlying system calls useful for hiding userland components, files, directories, and open or active network connections.

Persistence is achievable across reboots by configuring a particular kernel module for automatic loading during the initial boot process by modifying a variety of potential configuration or script files that are run or referenced during the boot process. These file modifications include but are not limited to:

  • /etc/sysconfig/modules/*.modules
  • /etc/modules
  • /etc/modules.conf
  • /etc/modules-load.d/*.conf

Who is at risk from Drovorub?

Advanced threat groups like APT28 have long histories of targeting a wide variety of organizations and individuals across a plethora of industries, including (but not limited to) governments, defense, energy, aerospace, media and dissidents.

In short, anyone that does not either have full Secure Boot enabled including kernel and module signing enforcement, or at the very least kernel module signing enforcement, is at risk for this appearing within their organization.

If you have legacy Linux servers or devices it is recommended that you update to a Linux Kernel version of at least 3.7 or later to take advantage of kernel signing enforcement.

Detection and prevention techniques

Once a malware strain such as Drovorub is able to maintain persistence using kernel level code, traditional file or hash based detection mechanisms are no longer an effective avenue for runtime detection.

The advisory details a number of detection mechanisms for various components of the Drovorub malware using Snort signatures, Yara rules, file carving using a full memory snapshot with Volatility and runtime behaviour detection based on the particular strain observed.

Cmd Control

For Cmd Control customers, the following MITRE ATT&CK triggers provide detection and prevention capabilities for techniques that malware strains like Drovorub utilize to maintain persistence.

  • Cmd – ATT&CK T1014 – Linux Kernel Module Loaded
  • Cmd – ATT&CK T1547 – Boot or Logon Autostart Execution: Kernel Modules and Extensions

Cmd Audit and Cmd Free

For Cmd Audit customers or Cmd Free users, the following triggers exist for detection of run-time hot-loading of kernel modules.

  • Cmd – ATT&CK T1014 – Linux Kernel Module Loaded

If you do not see these triggers in your environment, please reach out to have the latest Cmd trigger set deployed to your projects. You can also request a 15-minute session to walk through how to best detect and defend these kinds of threats in the future.

To activate your own account of Cmd Free to get system-wide visibility that can help discover advanced threats like Drovorub, click here.


Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware (August 2020 Rev 1.0) – U/OO/160679-20 PP-20-0714.

Get Started

Gain true visibility
in minutes_

Ramp up your Linux defense strategies
and see what you've been missing.



Share via
Copy link
Powered by Social Snap