Schneider Electric published a security bulletin to warn customers of the Drovorub Linux malware, the malware was analyzed in a joint alert published in August by NSA and the FBI.
According to the US agencies, the Linux malware was allegedly employed in attacks carried out by the Russia-linked cyber espionage group APT28.
The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
The FBI and NSA attribute the Drovorub malware to APT28 due to the reuse of the C2 infrastructure in different operations, including a past campaign targeting IoT devices in 2019.
Drovorub is a modular malware that includes the implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actorcontrolled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as “root”; and port forwarding of network traffic to other hosts on the network.” reads the joint report. “A number of complementary detection techniques effectively identify Drovorub malware activity. However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale.”
Drovorub could allow state-sponsored hackers to carry out a broad range of activities, such as stealing files, establishing backdoor access, remote controlling the target’s computer. The malware implements a sophisticated evasion technique, it leverages advanced ‘rootkit’ capabilities to remain under the radar.
The government agencies recommend that US organizations update any Linux system to a version running kernel version 3.7 or later to prevents Drovorub’s rootkit infections.
Drovorub targets systems running Linux kernel versions 3.7 or lower, the researchers pointed out that the malicious code cannot achieve persistence on systems that uses the UEFI secure boot in Full or Thorough mode.
The affected products are ethernet and serial data radios that provide long-range wireless data communications for SCADA and remote telemetry applications.
“Schneider Electric is aware of the recently published Drovorub malware. To further mitigate the effects of this malware, Schneider Electric recommends applying a defense in depth approach to protect their Q Data Radio and J Data Radio devices from malware being installed.” reads the security bulletin published by the vendor. “In addition, Schneider Electric recommends customers make use of the available features to reduce the risk of malware installation such as user access controls and the available secure protocols HTTPS and SSH.”
The company’s advisory states that once a device is infected, the malware could allow attackers to communicate with C2 infrastructure, download/upload files, execute arbitrary commands, port forward of network traffic to other hosts on the network, and implement hiding techniques to evade detection.
“Schneider Electric is establishing a remediation plan for all future versions of Trio J-Series Data Radios and Trio Q-Series Data Radios that will include a fix for the Drovorub vulnerability.” concludes the advisory. “We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations to reduce the risk of exploit. Enable Role-Based Access Control (RBAC).”
The good news is that the company is aware of attacks in the wild involving the Drovorub malware.
(SecurityAffairs – hacking, Drovorub Linux Malware)