Blog

Schneider Electric warns customers about Drovorub Linux malware, which has recently been analyzed by the NSA and the FBI.

Schneider Electric has released a security bulletin informing customers about Drovorub Linux malware. This malware was analyzed in August in a joint NSA/FBI alert.

According to U.S. authorities, Linux malware has been used in attacks by the cyber-espionage group APT28, which is connected to Russia.

The name is derived from drovo [wood], which in the translation means firewood, or wood and friction [friction], which in the translation means falling or chopping.

The FBI and the NSA attributed the Lumberjack malware to the APT28 because the C2 infrastructure was reused in several operations, including the previous campaign against IoT devices in 2019.

Drovorub is a modular malware that contains an implant, a rootkit kernel module, a file transfer utility, a port transfer module and a command and control server (C2).

Drovorub is a malware package for Linux consisting of an implant combined with the rootkit kernel module, a file transfer and port forwarding tool, and a command and control (C2) server. When the shredder implant (client) is deployed on a victim machine, it provides direct communication with the C2 infrastructure managed by the actors, the ability to download and upload files, run random commands as root, and redirect network traffic to other network hosts, according to the joint report. A number of additional detection methods are available to effectively identify the activity of firewood cutting malware. However, the firewood core module is a complex task for large-scale detection as it hides the firewood core artifacts from the tools normally used for real-time reactions.

A logger could enable the state-sponsored hackers to perform various activities, such as stealing files, creating a back door and remotely controlling the target computer. The malware uses an advanced escape technique and uses the advanced capabilities of the rootkit to stay targeted.

Government agencies recommend that U.S. organizations update any Linux system to kernel version 3.7 or higher to prevent contamination by Drovorub rootkits.

Drovorub focuses on systems with a Linux kernel version 3.7 or lower. Researchers discovered that malicious code cannot achieve persistence on systems that use secure UEFI booting in full or deep mode.

Schneider Electric strongly advises customers to have a detailed policy to protect their Trio Q Data Radio and Trio J Data Radio equipment against woodchip attacks.

These are Ethernet radio receivers and serial data transmission devices, which enable long-distance wireless data transmission for SCADA and telemetry applications.

Schneider Electric is aware of recently released Woodchip malware. To further mitigate the effects of this malware, Schneider Electric recommends a thorough approach to protect your Q Data Radio and J Data Radio devices against malware. In addition, Schneider Electric advises customers to use the available features to reduce the risk of installing malware, such as B. User access control and available secure HTTPS and SSH protocols.

The company’s recommendations state that once a device is infected, the malware can allow attackers to communicate with the C2 infrastructure, download files, perform random commands, divert network traffic to other network hosts, and implement obfuscation methods to bypass detection.

Schneider Electric is developing a corrective action plan for all future versions of the Trio J-series and Trio Q-series radios, including fixes for the Drovorub vulnerability. We will update this document as soon as a solution is available. In the meantime, customers should immediately take the following measures to reduce the risk of use. Enable role-based access control (RBAC).

The good news is that the company is aware of attacks in the wild with malware for woodchips.

Pierluigi Paganini

(Security issues – Hacking, Drovorub Linux malware)

 

Part

 

Related Tags: