Skip to content

S0502 Drovorub

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.1

Item Value
ID S0502
Associated Names
Version 1.0
Created 25 August 2020
Last Modified 18 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.006 Kernel Modules and Extensions Drovorub can use kernel modules to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Drovorub can execute arbitrary commands as root on a compromised system.1
enterprise T1005 Data from Local System Drovorub can transfer files from the victim machine.1
enterprise T1140 Deobfuscate/Decode Files or Information Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.1
enterprise T1041 Exfiltration Over C2 Channel Drovorub can exfiltrate files over C2 infrastructure.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Drovorub can delete specific files from a compromised host.1
enterprise T1105 Ingress Tool Transfer Drovorub can download files to a compromised host.1
enterprise T1095 Non-Application Layer Protocol Drovorub can use TCP to communicate between its agent and client modules.1
enterprise T1027 Obfuscated Files or Information Drovorub has used XOR encrypted payloads in WebSocket client to server messages.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Drovorub can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network.1
enterprise T1014 Rootkit Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.1

Groups That Use This Software

ID Name References
G0007 APT28 1