Security News > 2020 > August > NSA, FBI Warn of Linux Malware Used in Espionage Attacks

According to a Thursday advisory by the National Security Agency and the Federal Bureau of Investigation, the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems.

"Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control server," according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. "When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as 'root'; and port forwarding of network traffic to other hosts on the network."

Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs.

"We can see that Fancy Bear has used their own Linux malware in the past, the most notorious case being the Linux version of their flagship backdoor XAgent, also known as Fysbis, four to five years ago," Alexis Dorais-Joncas, Security Intelligence Team Lead for ESET, told Threatpost.

"This will prevent Drovorub from being able to hide itself on a system. The other detection and mitigation options, such as Snort and Yara rules, will naturally have a limited lifetime, as they are expected to be the first things changed in future versions of the malware to avoid detection," according to the FBI and NSA. "They should be used as quickly as possible before changes are made."

News URL

https://threatpost.com/nsa-fbi-warn-of-linux-malware-used-in-espionage-attacks/158351/