Light Dark
February 11, 2021 By David Bisson 2 min read
News

Russian digital espionage group Fancy Bear incorporated a new malware threat into their attack campaigns, according to the National Security Agency (NSA) and the FBI.

In their joint advisory last year, the NSA and FBI explained the Linux-based malware — dubbed “Drovorub” by researchers — consists of three different components: a kernel module rootkit, a file transfer and port forwarding kit and a command-and-control (C&C) tool.

They found that these traits made it possible for Fancy Bear, also known as “APT28” and “Strontium,” to download and upload files, execute arbitrary commands as root and port forward network traffic on other hosts.

What is Fancy Bear?

Researchers at the NSA and FBI attributed Drovorub to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. Private-sector organizations assigned “APT28,” “Fancy Bear” and other identifiers to this group over the course of analyzing some of its other attack campaigns over the past few years.

Fancy Bear has been named as the group behind several other recent attack campaigns. In late August 2019, Fancy Bear launched a new attack campaign targeting embassies and foreign affairs ministries in Eastern Europe and Central Asia. ESET found that the operation began with a phishing email containing a malicious attachment. It then led the victim through a chain of downloaders, including one written in the Nim programming language, before dropping the Zebrocy backdoor.

A month later, Fancy Bear launched a series of digital attacks targeting anti-doping organizations and other sports entities. APT28 folded spear-phishing tactics, password spraying and exploits involving web-connected devices into their attacks.

Trend Micro published a report in March 2020 detailing the attack campaigns of Pawn Storm, another identifier employed by Fancy Bear. Among other findings, this report revealed the threat group had integrated credential phishing and scanning for servers into their most recent attacks.

Several months after that, Wired covered an attack campaign stretching from December 2018 until at least May of last year. In this operation, Fancy Bear targeted the mail servers, email accounts and VPNs of organizations based in the United States, including government institutions and education agencies.

Organizations in the private sector also attributed Drovorub to Fancy Bear. They did so by identifying linkages between the malware’s operational C&C infrastructure and the digital attack infrastructure employed by the threat group.

Malware Using Multiple Evasion Techniques

During their analysis, the FBI and NSA found that Drovorub’s kernel module employed several different techniques to hide its artifacts from users. For instance, the government entities found that the kernel module used process hiding by concealing its processes from both system calls and from the proc filesystem. They also found the malware hooked either the iterate_dir() or vfs_readdir() kernel functions, which enabled it to conceal files; hid network sockets by filtering out hidden sockets after hooking a kernel function; registered a Netfilter hook to filter packets in the kernel; and hooked the skb_recv_datagram() kernel function to hide from raw socket services.

How to Detect Drovorub 

Notwithstanding the malware threat’s evasion techniques, the FBI and NSA observed that organizations could use several tactics to detect Drovorub. Intrusion detection systems (IDSes) could spot C&C messages exchanged between the malware’s client or agent and its server, for example. Researchers found this method could be subject to evasion, however. Alternatively, organizations could use a script that communicates with the kernel module to probe for the malware, though the threat could evade this detection tactic, too.

Organizations can ultimately try to prevent a Drovorub infection by using their comprehensive vulnerability management program to apply updates to their Linux-based machines. They should also configure their systems to prevent untrusted Linux modules from loading.

 |  |  | 
David Bisson
Contributing Editor

More from News
December 19, 2023

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature