The NSA and the US FBI announced the discovery of a new virus from the APT28 group, which is considered a cover for Russian intelligence hackers. The malware is called Drovorub and only infects Linux systems with a few modules.
According to the NSA and the FBI, the virus consists of an implant, a kernel rootkit module, a file transfer tool, a port forwarding module, and a command server. Drovorub can perform several different tasks at once, including stealing files or remotely controlling victim computers.
McAfee called the virus “the Swiss army knife for Linux hacking.” As noted by the experts, among other things, Drovorub uses advanced rootkit technologies that make it difficult to detect. This allows the virus to be injected into many different types of targets at once and opens the door for attacks at any time.
To prevent the possible consequences of the Drovorub attack, the FBI and NSA advised companies and government agencies in the United States to update Linux systems to kernel version 3.7 or later. Newer versions have a kernel force signature feature that will prevent Drovorub from installing rootkits.
The APT28 group is also known as Fancy Bear. According to the American authorities, these pseudonyms hide the 85th main center of the special service of the Main Intelligence Directorate of the General Staff of the RF Armed Forces. The group is credited with hacking into the US Democratic Party on the eve of the 2016 elections, cyber attacks on government offices in Germany and hacking into TV5Monde .