NSA and CIA Warn That The Russians Are Deploying Linux-Specific "Drovorub" Malware

The Americans have released a 45 page long document accusing the Russians of using Linux malware toolset dubbed "Drovorub" to spy on American interests. The "Drovorub" malware has a kernel module that allows it to hide itself and provide the user-space parts of the toolkit kernel-level functionality by turning /dev/zero into a two-way communications channel. It can hide files, processes, network traffic and kernel modules from system administrators which makes it hard to detect. The American document does not mention what attack vectors are used to deploy it on target systems.

written by 윤채경 (Yoon Chae-kyung) 2020-08-14 - last edited 2020-09-04. © CC BY

The Americans are convinced that the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) is the organization behind a rather advanced proprietary malware toolkit they have dubbed "Drovorub". The GTsSS may or may not be the Russian subsidiary who is actually behind several seemingly independent malware-groups like "Fancy Bear", "APT28", "Pawn Storm", Sofacy group" and "STRONTIUM". The Americans are claiming that is indeed the case in a 45 page long joint report published on August the 13th by the NSA and the FBI titled "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware".

The American report details a malware toolset dubbed "Drovorub". It consists of a kernel module rootkit, a port forwarding and file transfer tool and a Command and Control server.

Component	Function
Drovorub-client	Implant
Drovorub-kernel module	Rootkit
Drovorub-agent	Port Forwarding and File Transfer Tool
Drovorub-server	Command and Control (C2) Server

The "Drovorub" Kernel Module[edit]

The Drovorub-client, Drovorub-agent and Drovorub-server parts of the malware toolkit communicate over via JSON sent over regular WebSockets. The kernel module is special. It turns /dev/zero into a two-way communications channel between the kernel module and the user-space components. The user-space components can use the kernel modules functionality by sending a signature string followed by a command and an argument, separated by a :, to /dev/zero. The signature string is, as of the "Drovorub" malware the NSA and FBI has identified, ASDFZXCV.

If you are infected with "Drovorub" malware and you create a test file with touch myfile.test and you send the kernel module a request to hide (hf) that file with

echo “ASDFZXCV:hf:myfile.test” > /dev/zero

then your myfile.test will "disappear" from from the file system. It will not show up when you ls, even if you do so as root.

The kernel module has a long list of other cool features:

Command	Function
hf	Hide a file
uf	Unhide a file
hm	Hide a module
um	Unhide a module
hp	Hide a process
up	Unhide a process
rs	Register client with kernel module
sc!^2a	Clean up
ht	Hide tcp port
ut	Unhide tcp port
hu	Hide udp port
uu	Unhide udp port

The sum of this functionality means that "Drovorub" can hide files, directories, processes, network traffic and kernel modules, including its own.

The kernel module can also use /dev/zero to send data back to user-space processes so they know if a command has been successfully executed or not. The kernel module notifies the user-space process that data is available to be read with a SIGUSR1 signal. That data will only be sent when the process it is meant for opens /dev/zero, you get nothing if you simply cat /dev/zero even if there's data waiting for one of the malware toolkits user-space processes.

The Obvious Question[edit]

The NSA and FBI provided document is very detailed when it comes to many aspects of the "Drovorub" malwares functionality. It details how the kernel module works, how the user-space components communicate, what the generated network traffic looks like and much more. There is even a section titled "Why is the malware called “Drovorub”, and what does it mean?" which claims that:

"The name Drovorub comes from a variety of artifacts discovered in Drovorub files and from operations conducted by the GTsSS using this malware; it is the name used by the GTsSS actors themselves. Drovo [дрово] translates to “firewood”, or “wood”. Rub [руб] translates to "to fell”, or “to chop.” Taken together, they translate to “woodcutter” or “to split wood.”"

Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware page 8

The 45 page long does not have a single paragraph detailing or even speculating on how the malware goes about getting the initial root access required to load a malicious kernel module. You can't just open a socket to a target machines IP and magically get it to insert a kernel module, you need some kind of attack vector. It is interesting that they chose to not touch upon that subject.

Countermeasures & Detection[edit]

The NSA and FBI "Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware" document details a long list of ways rootkits like "Drovorub" can be detected. None of them are very trivial. Details on detection start on page 30.

One simple way Linux users and system administrators can prevent malware like "Drovorub" from installing kernel modules is to enable UEFI Secure Boot in full security mode in the BIOS (not "compatibility" mode) and use one of the big GNU/Linux distributions with support for secure boot and signed modules and stick with the distribution-provided kernel. That would prevent you from compiling and using your own kernel or third party modules, so it may not be worth it if you are a casual home user. It is probably a good idea if your a system administrator managing rooms full of servers used to process very valuable data. Do keep in mind that most rootkits do not have their own kernel module. Those can infect machines with an exploitable attack vector just fine even if UEFI Secure Boot is enabled, secure boot will not prevent malicious code from running as root. You need to ensure that your machine does not have any exploitable attack vectors to ensure that your box does not get infected with malicious malware.

5.00