Drovorub
Drovorub is a modular Linux malware toolset and backdoor used in cyber espionage operations. U.S. government reporting from the FBI and NSA in August 2020 described it as previously undisclosed malware designed for Linux systems and attributed its deployment to the Russian GRU 85th Main Special Service Center (GTsSS), military unit 26165, which is also tracked as APT28/Fancy Bear/Strontium/Sednit. The malware has been assessed as used in real-world intrusions to plant backdoors inside compromised networks.
The toolset consists of four components: Drovorub-client, Drovorub-agent, a kernel-module rootkit, and Drovorub-server. The components communicate using JSON over WebSockets, and the server uses MySQL for registration, authentication, and tasking. The client supports remote shell access, file transfer, and port forwarding. The agent is intended for file upload, file download, and relaying network traffic, including use of TCP between agent and client modules and port-forwarding rules to relay traffic through the client module to remote hosts on the same network. The malware can transfer files from victim machines and exfiltrate files over its command-and-control infrastructure.
A key stealth feature is the Drovorub kernel-module rootkit, which hides itself and user-space artifacts including files, directories, network ports, network sessions, the Drovorub-client process, and child processes. This stealth functionality makes host-based detection difficult with common live-response tooling. The NSA/FBI reporting stated that memory analysis is the most effective detection method for the rootkit; additional detection approaches mentioned include network intrusion detection, Snort rules for some WebSocket traffic, Yara-based checks for hidden files, security products such as AV/EDR, Linux audit logs, and disk image analysis for persistent artifacts and configuration data.
Mitigation guidance directly mentioned in the reporting includes updating Linux systems, especially to kernel version 3.7 or later, and enforcing signed kernel modules so that only modules with valid digital signatures can be loaded, making installation of the malicious rootkit more difficult. Drovorub was also cited as a notable Linux malware discovery in 2020.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
the U.S. Government assesses that GTsSS cyber actors have deployed Drovorub malware against victim devices as part of their cyber espionage operations.
Furthermore, the Drovorub malware used in the conduct of cyberespionage activities is attributed to have its origin within the GRU.
NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesCapturing information from air-gapped computers via infected USB devices
GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be legitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular webmail services’ logon pages.
Execution
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueStealth
5 techniquesDrovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult.
Discovery
1 techniqueUtilizing complex malware to target routers and IoT devices to enable reconnaissance within potential victim networks and potentially set the stage for wiper operations.
Lateral Movement
1 techniqueCollection
1 techniqueCommand and Control
7 techniquesThe Linux malware toolset consists of an implant coupled with a kernel module root kit, a file transfer and port forwarding tool, and logic for connecting back to a Command and Control (C2) server. | The components communicate via JSON over WebSockets.
Examples include 'Drovorub ... initiated communication with C2 servers with an HTTP Upgrade request' and 'COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.' | The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.
Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer.
Exfiltration
1 techniqueMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a comparator Linux rootkit that uses a single pre-compiled kernel module, limiting kernel compatibility.
Malware attributed to the GRU and used for cyberespionage activities.
A Linux malware toolkit attributed to Russian state-sponsored actors, used for espionage and persistent access.
Linux malware toolset used for cyber espionage that includes an implant, a kernel-module rootkit, file transfer, port forwarding, remote shell capability, and command-and-control communications over JSON via WebSockets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.