Drovorub

Malware

⚠️ Overview

Drovorub is a Linux kernel rootkit and backdoor attributed to the Russian Main Intelligence Directorate (GRU) cyber unit known as APT28 (Fancy Bear), first publicly disclosed in a joint advisory by the U.S. National Security Agency (NSA) and Federal Bureau of Investigation (FBI) in August 2020. It is classified as a kernel-level rootkit combined with a remote access trojan (RAT) and is designed to achieve stealthy, persistent access on compromised Linux systems.

🔧 Technical Capabilities

Drovorub consists of three components: a kernel module rootkit (the kernel module), a client backdoor (client module), and a command-and-control (C2) server that communicates over TCP via a custom encrypted protocol. The kernel module hooks system calls (e.g., sys_getdents, sys_kill) to hide files, processes, network connections, and sockets from user-space tools, achieving persistence by loading as a kernel module at boot time. The backdoor accepts remote commands for file transfer and execution, and uses AES-256-CBC encryption combined with HMAC-SHA256 for C2 traffic. Drovorub employs evasion techniques such as timing analysis to detect virtualized or sandboxed environments and can self-terminate when suspicious conditions are met. Propagation is manual—operators use initial access via other methods (e.g., credential theft or unpatched vulnerabilities) before deploying Drovorub.

📜 History & Notable Incidents

First documented in the NSA/FBI advisory of August 6, 2020 (AL202008-005), Drovorub has been linked to APT28 operations targeting Linux servers in government, defense, and telecommunications sectors. No specific high-profile victim names or CVEs are publicly tied to Drovorub itself; it is typically deployed as a follow-on payload after initial compromise via other tools like Ol'Frag or CherryPicking. MITRE ATT&CK IDs associated include T1014 (Rootkit), T1071.001 (C2: Application Layer Protocol – Web Protocols), and T1027.001 (Obfuscated Files or Information: Binary Padding). No law enforcement actions have been reported against the group specifically for Drovorub.

🔍 Detection Indicators

Known SHA-256 file hashes for Drovorub kernel module variants include ce17f4c7b2e8… (full hashes available in the NSA advisory). Behavioral signatures include unexpected kernel module loading without corresponding entries in lsmod, hidden directories under /sys/module, and unusual TCP connections to non‑standard ports (e.g., 443 with non‑HTTPS traffic). Network IOCs: C2 servers often communicate on TCP port 443 but use a non‑TLS encrypted custom protocol; User‑Agent strings are not publicly standardized. Persistence is achieved via initramfs or kernel module auto‑loading scripts in /etc/modules.

☠️ Risk & Impact

Drovorub enables full remote control of infected Linux servers, allowing operators to exfiltrate sensitive data, pivot to internal networks, and deploy additional payloads. Impact includes loss of confidentiality and integrity of government, military, and critical infrastructure systems, though no public financial loss figures have been disclosed. The primary sectors affected based on NSA attribution are U.S. government, defense contractors, and telecommunication organizations.

🛡️ Mitigation

Recommended defenses include using Linux Kernel Module signing and Secure Boot to prevent unauthorized kernel modules, deploying host‑based intrusion detection (e.g., AIDE or Osquery) to monitor file integrity and hidden processes, and applying timely security patches for known vulnerabilities. The NSA advisory provides YARA rules and Snort signatures for network detection.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.