The National Security Agency (NSA) and FBI have issued a warning against a new Linux malware dubbed “Drovorub” that is believed to have been developed by Russian military hackers.
According to a report based on data collected by the agencies, the Linux malware strain is the work of APT28, a notorious hacking group from military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS). The intention behind spreading the malware is espionage and stealing secrets from the public sector and IT companies.
Drovorub Linux Malware
Drovorub Linux malware, as per the two agencies, consists of an implant, a file transfer tool, a kernel module rootkit, a command and control server, and a port forwarding module. The report mentions that the malware is highly stealthy and can manage to stay undetected in machines owing to advanced rootkit technologies deployed by hackers. The stealthy capabilities of Drovorub Linux malware make it easy for hackers to target different types of platforms, initiating attacks at any time.
The report describes the functioning of each component of the Linux malware that communicates with each other using JSON over WebSockets and the traffic is encrypted from the server module using the RSA algorithm.
How to stay safe from Drovorub Linux Malware?
The NSA and FBI have enlisted a few precautionary measures that could be used to stay safe from the new strain of Linux malware:
- Keep all Linux systems updated to kernel version 3.7 or later.
- Systems must be configured to load modules with digital signatures.
- Enable the UEFI Secure Boot verification mechanism.