February 11, 2021 By David Bisson 2 min read

Russian digital espionage group Fancy Bear incorporated a new malware threat into their attack campaigns, according to the National Security Agency (NSA) and the FBI.

In their joint advisory last year, the NSA and FBI explained the Linux-based malware — dubbed “Drovorub” by researchers — consists of three different components: a kernel module rootkit, a file transfer and port forwarding kit and a command-and-control (C&C) tool.

They found that these traits made it possible for Fancy Bear, also known as “APT28” and “Strontium,” to download and upload files, execute arbitrary commands as root and port forward network traffic on other hosts.

What is Fancy Bear?

Researchers at the NSA and FBI attributed Drovorub to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. Private-sector organizations assigned “APT28,” “Fancy Bear” and other identifiers to this group over the course of analyzing some of its other attack campaigns over the past few years.

Fancy Bear has been named as the group behind several other recent attack campaigns. In late August 2019, Fancy Bear launched a new attack campaign targeting embassies and foreign affairs ministries in Eastern Europe and Central Asia. ESET found that the operation began with a phishing email containing a malicious attachment. It then led the victim through a chain of downloaders, including one written in the Nim programming language, before dropping the Zebrocy backdoor.

A month later, Fancy Bear launched a series of digital attacks targeting anti-doping organizations and other sports entities. APT28 folded spear-phishing tactics, password spraying and exploits involving web-connected devices into their attacks.

Trend Micro published a report in March 2020 detailing the attack campaigns of Pawn Storm, another identifier employed by Fancy Bear. Among other findings, this report revealed the threat group had integrated credential phishing and scanning for servers into their most recent attacks.

Several months after that, Wired covered an attack campaign stretching from December 2018 until at least May of last year. In this operation, Fancy Bear targeted the mail servers, email accounts and VPNs of organizations based in the United States, including government institutions and education agencies.

Organizations in the private sector also attributed Drovorub to Fancy Bear. They did so by identifying linkages between the malware’s operational C&C infrastructure and the digital attack infrastructure employed by the threat group.

Malware Using Multiple Evasion Techniques

During their analysis, the FBI and NSA found that Drovorub’s kernel module employed several different techniques to hide its artifacts from users. For instance, the government entities found that the kernel module used process hiding by concealing its processes from both system calls and from the proc filesystem. They also found the malware hooked either the iterate_dir() or vfs_readdir() kernel functions, which enabled it to conceal files; hid network sockets by filtering out hidden sockets after hooking a kernel function; registered a Netfilter hook to filter packets in the kernel; and hooked the skb_recv_datagram() kernel function to hide from raw socket services.

How to Detect Drovorub 

Notwithstanding the malware threat’s evasion techniques, the FBI and NSA observed that organizations could use several tactics to detect Drovorub. Intrusion detection systems (IDSes) could spot C&C messages exchanged between the malware’s client or agent and its server, for example. Researchers found this method could be subject to evasion, however. Alternatively, organizations could use a script that communicates with the kernel module to probe for the malware, though the threat could evade this detection tactic, too.

Organizations can ultimately try to prevent a Drovorub infection by using their comprehensive vulnerability management program to apply updates to their Linux-based machines. They should also configure their systems to prevent untrusted Linux modules from loading.

More from News

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

DHS awards significant grant to improve tribal cybersecurity

4 min read - The Department of Homeland Security (DHS) has awarded $18.2 million in grants through the Tribal Cybersecurity Grant Program to boost cybersecurity defenses among Native American Indian Tribes. The program takes a big step in addressing the unique digital threats faced by tribal communities — a dedicated effort to improve cybersecurity infrastructure across these regions. The $18.2 million grant is just one component of DHS's broader strategy to enhance national cybersecurity. Administered by the Federal Emergency Management Agency (FEMA) in partnership…

ONCD releases request for information: Open-source software security

3 min read - Open-source software is a collective partnership across the development community that requires both private and public buy-in. However, securing open-source software can be tricky. With so many different people working on the coding, security measures are often overlooked, increasing the chances that a vulnerability will fall through the cracks and be exploited. The Open-Source Software Security Initiative (OS31) aims to provide governance over open-source security processes. After the Log4Shell vulnerability, securing open-source software became a top priority for the federal…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today