Drovorub

Capturing information from air-gapped computers via infected USB devices

GTsSS actors have collected victim credentials by sending spearphishing emails that appear to be legitimate security alerts from the victim’s email provider and include hyperlinks leading to spoofed popular webmail services’ logon pages.

Drovorub malware is made up of four executable components: Drovorub-client, Drovorub-agent, Drovorub-kernel module and Drovorub-server.

Drovorub malware is made up of four executable components: Drovorub-client, Drovorub-agent, Drovorub-kernel module and Drovorub-server.

Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult.

Utilizing complex malware to target routers and IoT devices to enable reconnaissance within potential victim networks and potentially set the stage for wiper operations.

Capturing information from air-gapped computers via infected USB devices

The Linux malware toolset consists of an implant coupled with a kernel module root kit, a file transfer and port forwarding tool, and logic for connecting back to a Command and Control (C2) server. | The components communicate via JSON over WebSockets.

Examples include 'Drovorub ... initiated communication with C2 servers with an HTTP Upgrade request' and 'COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.' | The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer.

Examples include: "COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control" and "Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request."

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.