Drovorub Linux Rootkit IOCs

Drovorub Components

As we already know that NSA and FBI jointly released a cybersecurity advisory on August 13th regarding previously undisclosed Linux rootkit called ‘Drovorub’. NSA has attributed it to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. Other private sectors have attributed the same as Fancy Bear, APT28, Strontium etc.

The NSA has done excellent job in drafting this advisory which details thorough technical information with various components of this rootkit/malware. You can find the advisory here.

Although NSA has not provided any direct IOCs in the report, they have mentioned a blog post by Microsoft Security Response Center  which has five C2 IP addresses.

I did some pivoting using VirusTotal Graph around known C2 IP addresses and could capture few hashes for Shell Scripts and a C++ file.

Drovorub Indicators of Compromise (IOCs)

  • 92610f217e86134c695dfd11d4a81feb4f4760ef05d57407d33a7c09dfe071da (1.sh)
  • 53dede6856e46a2fbda8cb415ac96de18e751c3bf5749e596a6d844c2c9cb707 (1.sh)
  • 1c0d14b530632307329de7bfb3546a91f6ebfd0256664c33a92f2b6e8ad88626 (1.sh)
  • 17bf00b67487164d1822ea48f36d62bf6f4ff9b2388cab2c0757644fdf30e5bd

Full IOC Pivot graph can be found here.

You can write custom scripts or create custom alerts in your Endpoint Detection and Response tools to detect any activity around these hashes/file names. Other detection methods are mentioned in NSA’s security advisory.