The United States National Security Agency and Federal Bureau of Investigation have released a Cybersecurity Advisory regarding the
Drovorub malware.
Per the advisory,
Drovorub is a Linux malware toolset consisting of an implant coupled with the following:
- A kernel module rootkit
- A file transfer and port forwarding tool
- A Command and Control (C2) server
When deployed on a victim system, the
Drovorub implant (client) provides the capability for direct communications with an actor-controlled C2 infrastructure, which allows the following:
- File download and upload capabilities
- Execution of arbitrary commands as root
- Port forwarding of network traffic to other hosts on the network.
To prevent a system from being susceptible to
Drovorub's hiding and persistence, system administrators must update to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Also, system owners are advised to configure systems to load only modules with a valid digital signature. This action makes it more difficult for an actor to introduce a malicious kernel module into the system.
For more information, see: