Russian digital espionage group Fancy Bear incorporated a new malware threat into their attack campaigns, according to the National Security Agency (NSA) and the FBI.

In their joint advisory last year, the NSA and FBI explained the Linux-based malware — dubbed “Drovorub” by researchers — consists of three different components: a kernel module rootkit, a file transfer and port forwarding kit and a command-and-control (C&C) tool.

They found that these traits made it possible for Fancy Bear, also known as “APT28” and “Strontium,” to download and upload files, execute arbitrary commands as root and port forward network traffic on other hosts.

What is Fancy Bear?

Researchers at the NSA and FBI attributed Drovorub to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165. Private-sector organizations assigned “APT28,” “Fancy Bear” and other identifiers to this group over the course of analyzing some of its other attack campaigns over the past few years.

Fancy Bear has been named as the group behind several other recent attack campaigns. In late August 2019, Fancy Bear launched a new attack campaign targeting embassies and foreign affairs ministries in Eastern Europe and Central Asia. ESET found that the operation began with a phishing email containing a malicious attachment. It then led the victim through a chain of downloaders, including one written in the Nim programming language, before dropping the Zebrocy backdoor.

A month later, Fancy Bear launched a series of digital attacks targeting anti-doping organizations and other sports entities. APT28 folded spear-phishing tactics, password spraying and exploits involving web-connected devices into their attacks.

Trend Micro published a report in March 2020 detailing the attack campaigns of Pawn Storm, another identifier employed by Fancy Bear. Among other findings, this report revealed the threat group had integrated credential phishing and scanning for servers into their most recent attacks.

Several months after that, Wired covered an attack campaign stretching from December 2018 until at least May of last year. In this operation, Fancy Bear targeted the mail servers, email accounts and VPNs of organizations based in the United States, including government institutions and education agencies.

Organizations in the private sector also attributed Drovorub to Fancy Bear. They did so by identifying linkages between the malware’s operational C&C infrastructure and the digital attack infrastructure employed by the threat group.

Malware Using Multiple Evasion Techniques

During their analysis, the FBI and NSA found that Drovorub’s kernel module employed several different techniques to hide its artifacts from users. For instance, the government entities found that the kernel module used process hiding by concealing its processes from both system calls and from the proc filesystem. They also found the malware hooked either the iterate_dir() or vfs_readdir() kernel functions, which enabled it to conceal files; hid network sockets by filtering out hidden sockets after hooking a kernel function; registered a Netfilter hook to filter packets in the kernel; and hooked the skb_recv_datagram() kernel function to hide from raw socket services.

How to Detect Drovorub 

Notwithstanding the malware threat’s evasion techniques, the FBI and NSA observed that organizations could use several tactics to detect Drovorub. Intrusion detection systems (IDSes) could spot C&C messages exchanged between the malware’s client or agent and its server, for example. Researchers found this method could be subject to evasion, however. Alternatively, organizations could use a script that communicates with the kernel module to probe for the malware, though the threat could evade this detection tactic, too.

Organizations can ultimately try to prevent a Drovorub infection by using their comprehensive vulnerability management program to apply updates to their Linux-based machines. They should also configure their systems to prevent untrusted Linux modules from loading.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…