S0502 Drovorub
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.1
| Item | Value |
|---|---|
| ID | S0502 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 August 2020 |
| Last Modified | 18 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.006 | Kernel Modules and Extensions | Drovorub can use kernel modules to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Drovorub can execute arbitrary commands as root on a compromised system.1 |
| enterprise | T1005 | Data from Local System | Drovorub can transfer files from the victim machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Drovorub can exfiltrate files over C2 infrastructure.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Drovorub can delete specific files from a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | Drovorub can download files to a compromised host.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Drovorub can use TCP to communicate between its agent and client modules.1 |
| enterprise | T1027 | Obfuscated Files or Information | Drovorub has used XOR encrypted payloads in WebSocket client to server messages.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Drovorub can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network.1 |
| enterprise | T1014 | Rootkit | Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 1 |