Security News > 2020 > August > This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew.

Uncle Sam explicitly said on Thursday the miscreants - formally known as the 85th Main Special Service Center - operate within the Russian intelligence directorate, aka the GRU. The software nasty in question is Drovorub, a rootkit designed to infect Linux systems, take control of them, and siphon off files.

"When deployed on a victim machine, the Drovorub implant provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as root; and port forwarding of network traffic to other hosts on the network," the NSA and FBI said in their detailed teardown [PDF] of the malware.

The Drovorub-kernel module poses a challenge to large-scale detection .... While the FBI and NSA didn't discuss this aspect of the operation, the Fancy Bear crew tends to work on extremely high-value areas that the Kremlin has an interest in - things like foreign governments, technology blueprints, commercial deals, and compromising information aka kompromat.

These steps alone won't protect you against the spear-phishing techniques and zero-day vulnerabilities Fancy Bear uses to get Drovorub onto networks in the first place.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/08/13/drovorub_nsa_fbi/