Drovorub

{{short description|Russian state-created malware toolkit}}

Drovorub ({{langx|ru|дроворуб}}, "woodcutter") is a software toolkit for developing malware for the Linux operating system. It was created by the 85th Main Special Service Center, a unit of the Russian GRU often referred to as APT28.{{Cite web|last=|first=|date=|title=Drovourm Malware: Fact Sheet & FAQs|url=https://www.nsa.gov/Portals/70/documents/resources/cybersecurity-professionals/DROVORUB-Fact%20sheet%20and%20FAQs.pdf|url-status=live|archive-url=https://web.archive.org/web/20200814203650/https://www.nsa.gov/Portals/70/documents/resources/cybersecurity-professionals/DROVORUB-Fact%20sheet%20and%20FAQs.pdf |archive-date=2020-08-14 |access-date=21 August 2020|website=nsa.gov}}{{Cite web|last=|first=|date=August 2020|title=Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware|url=https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF|url-status=live|archive-url=https://web.archive.org/web/20200813165514/https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |archive-date=2020-08-13 |access-date=21 August 2020|website=media.defense.gov}}

Drovorub has a sophisticated modular architecture,{{Cite web|last=Cimpanu|first=Catalin|title=FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers|url=https://www.zdnet.com/article/fbi-and-nsa-expose-new-linux-malware-drovorub-used-by-russian-state-hackers/|access-date=2020-08-21|website=ZDNet|language=en}} containing an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control server. Drovorub has been described as a "Swiss-army knife for hacking Linux".{{Cite web|last=Jerzewski|first=Matthew|date=2020-08-20|title=Drovorub Malware - "Taking systems to the wood chipper"|url=https://www.tripwire.com/state-of-security/featured/drovorub-malware/|url-status=live|archive-url=https://web.archive.org/web/20200822043911/https://www.tripwire.com/state-of-security/featured/drovorub-malware/ |archive-date=2020-08-22 |access-date=2020-08-21|website=The State of Security|language=en-US}}

The U.S. government report that first identified Drovorub recommends the use of UEFI Secure Boot and Linux's native kernel module signing facility to resist Drovorub attacks.{{Cite web|date=2020-08-14|title=NSA and FBI expose Russian 'Drovorub' malware used to target Linux systems|url=https://www.computing.co.uk/news/4019014/nsa-fbi-expose-russian-drovorub-malware-target-linux-systems|access-date=2020-08-21|website=www.computing.co.uk|language=en}}