February 11, 2021 By David Bisson 2 min read

Russian digital espionage group Fancy Bear incorporated a new malware threat into their attack campaigns, according to the National Security Agency (NSA) and the FBI.

In their joint advisory last year, the NSA and FBI explained the Linux-based malware — dubbed “Drovorub” by researchers — consists of three different components: a kernel module rootkit, a file transfer and port forwarding kit and a command-and-control (C&C) tool.

They found that these traits made it possible for Fancy Bear, also known as “APT28” and “Strontium,” to download and upload files, execute arbitrary commands as root and port forward network traffic on other hosts.

What is Fancy Bear?

Researchers at the NSA and FBI attributed Drovorub to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. Private-sector organizations assigned “APT28,” “Fancy Bear” and other identifiers to this group over the course of analyzing some of its other attack campaigns over the past few years.

Fancy Bear has been named as the group behind several other recent attack campaigns. In late August 2019, Fancy Bear launched a new attack campaign targeting embassies and foreign affairs ministries in Eastern Europe and Central Asia. ESET found that the operation began with a phishing email containing a malicious attachment. It then led the victim through a chain of downloaders, including one written in the Nim programming language, before dropping the Zebrocy backdoor.

A month later, Fancy Bear launched a series of digital attacks targeting anti-doping organizations and other sports entities. APT28 folded spear-phishing tactics, password spraying and exploits involving web-connected devices into their attacks.

Trend Micro published a report in March 2020 detailing the attack campaigns of Pawn Storm, another identifier employed by Fancy Bear. Among other findings, this report revealed the threat group had integrated credential phishing and scanning for servers into their most recent attacks.

Several months after that, Wired covered an attack campaign stretching from December 2018 until at least May of last year. In this operation, Fancy Bear targeted the mail servers, email accounts and VPNs of organizations based in the United States, including government institutions and education agencies.

Organizations in the private sector also attributed Drovorub to Fancy Bear. They did so by identifying linkages between the malware’s operational C&C infrastructure and the digital attack infrastructure employed by the threat group.

Malware Using Multiple Evasion Techniques

During their analysis, the FBI and NSA found that Drovorub’s kernel module employed several different techniques to hide its artifacts from users. For instance, the government entities found that the kernel module used process hiding by concealing its processes from both system calls and from the proc filesystem. They also found the malware hooked either the iterate_dir() or vfs_readdir() kernel functions, which enabled it to conceal files; hid network sockets by filtering out hidden sockets after hooking a kernel function; registered a Netfilter hook to filter packets in the kernel; and hooked the skb_recv_datagram() kernel function to hide from raw socket services.

How to Detect Drovorub 

Notwithstanding the malware threat’s evasion techniques, the FBI and NSA observed that organizations could use several tactics to detect Drovorub. Intrusion detection systems (IDSes) could spot C&C messages exchanged between the malware’s client or agent and its server, for example. Researchers found this method could be subject to evasion, however. Alternatively, organizations could use a script that communicates with the kernel module to probe for the malware, though the threat could evade this detection tactic, too.

Organizations can ultimately try to prevent a Drovorub infection by using their comprehensive vulnerability management program to apply updates to their Linux-based machines. They should also configure their systems to prevent untrusted Linux modules from loading.

More from News

New ransomware over browser threat targets uploaded files

3 min read - We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files. What is ransomware over browsers? Researchers at Florida International University worked with Google to…

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today