Drovorub Linux Rootkit Malware

Summary

The United States National Security Agency and Federal Bureau of Investigation have released a Cybersecurity Advisory regarding the Drovorub malware.

Per the advisory, Drovorub is a Linux malware toolset consisting of an implant coupled with the following:

A kernel module rootkit
A file transfer and port forwarding tool
A Command and Control (C2) server

When deployed on a victim system, the Drovorub implant (client) provides the capability for direct communications with an actor-controlled C2 infrastructure, which allows the following:

File download and upload capabilities
Execution of arbitrary commands as root
Port forwarding of network traffic to other hosts on the network.

To prevent a system from being susceptible to Drovorub's hiding and persistence, system administrators must update to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Also, system owners are advised to configure systems to load only modules with a valid digital signature. This action makes it more difficult for an actor to introduce a malicious kernel module into the system.

For more information, see:

Solution

Coverage with McAfee solutions:

Network Security Signature Set
Use the following UDS to detect the Drovorub C&C traffic on the network. This UDS was rolled into the weekly NSP signature set released on August 18, 2020:

AttackName = UDS-Malware: Drovorub Malware C2 Traffic Detected

Information about User-Defined Signature sets is provided in KB55447 - REGISTERED - Network Security Platform User-Defined Signature Releases.

ENS for Linux and VSE for Linux
Coverage for the Drovorub malware is provided in the August 14, 2020 DAT and AMCore content releases. Coverage is based on the extensive information provided in the NSA/FBI Security Advisory. Future variants of the malware might require new signature updates.

McAfee Active Response and MVISION Endpoint Detection and Response
Use the steps below to create a custom collector to detect the file hashes used by the Drovorub malware.

File Hash Collector:

If file hash collector was enabled on the system, it might be possible to look for artifacts created before the rootkit implant where the file name contains dr_client, or dr_mod.

Custom Collector:

The example below specifies /dev/zero as the testing device, but you can change or update the collector as needed.
In addition, it provides the output of /etc/modules, or /etc/modules-load.d/ files to search for extra patterns.

Steps:

Create a custom collector (Catalog, New Collector):
1. For EDR: Name: _DR , Description: Drovorub detector.
  For MAR: Name: DR , Description: Drovorub detector.
2. Select Linux, and Type Bash Script.
3. Copy and paste the content from the attached sample_collector.txt file in the Attachment section of this article.
4. Add three columns:

Name: DrFileTest, Type: String.
Name: ModulesContent, Type: String.
Name: ModulesFiles, Type: String.

Execute the collector using Real Time Search:

Column	Values
DrFileTest	“File Test Passed” -> File is not hidden after creation “File Test Hidden - May be infected -> File triggered detection step. Require further investigation “Error” -> Test failed for another reason
ModulesContent	Content of /etc/modules file
ModulesFiles	List of files present in /etc/modules-load.d/

Attachment

sample_collector.txt
805Bytes • < 1 minute @ broadband

Affected Products

Endpoint Security for Linux Threat Prevention 10.x
McAfee Active Response 2.x
MVISION EDR - All Versions
Network Security Signature Set - All Versions
VirusScan Enterprise for Linux 1.9.x (EOL)
VirusScan Enterprise for Linux 2.0.x (EOL)
Vulnerability Response

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro

Knowledge Center

Drovorub Linux Rootkit Malware

Environment

Summary

Solution

Attachment

Affected Products

Languages:

Title

Title

Knowledge Center

Drovorub Linux Rootkit Malware

Environment

Summary

Solution

Attachment

Affected Products

Languages:

Choose your region

Title

Title