Security News > 2020 > August > NSA, FBI Warn of Linux Malware Used in Espionage Attacks
According to a Thursday advisory by the National Security Agency and the Federal Bureau of Investigation, the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems.
"Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control server," according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. "When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as 'root'; and port forwarding of network traffic to other hosts on the network."
Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs.
"We can see that Fancy Bear has used their own Linux malware in the past, the most notorious case being the Linux version of their flagship backdoor XAgent, also known as Fysbis, four to five years ago," Alexis Dorais-Joncas, Security Intelligence Team Lead for ESET, told Threatpost.
"This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection," according to the FBI and NSA. "They should be used as quickly as possible before changes are made."
News URL
https://threatpost.com/nsa-fbi-warn-of-linux-malware-used-in-espionage-attacks/158351/
Related news
- FBI spots HiatusRAT malware attacks targeting web cameras, DVRs (source)
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Volt Typhoon rebuilds malware botnet following FBI disruption (source)
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- FBI confirms China-linked cyber espionage involving breached telecom providers (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)