The FBI and NSA have issued a joint warning about a previously unknown Linux malware, which has been used by the Fancy Bear hacker group in attacks aiming to compromise sensitive networks, steal confidential information, and execute malicious commands.

The malware, referred to as “Drovorub” (which means “woodcutter”, or “to split wood”) by its authors, is a Linux malware toolset comprised of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a command and control (C2) server. The Drovorub implant provides the capability for direct communications with attacker controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as "root"; and port forwarding of network traffic to other hosts on the network.

“A number of complementary detection techniques effectively identify Drovorub malware activity. However, the Drovorub-kernel module poses a challenge to large-scale detection on the host because it hides Drovorub artifacts from tools commonly used for live-response at scale,” the report said.

While the 45-page report provides an in-depth analysis of inner workings of the malware, it did not reveal how Drovorub is delivered on a target system, only saying that the attackers use a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.” The Fancy Bear APT usually relies on malicious spam or phishing attacks that either infect computers or steal passwords, as well as exploits for vulnerabilities that haven’t been patched.

The authorities did not specify since when the malware has been in circulation, or how many companies were targeted - and whether the attacks were successful.

To prevent attacks organizations should update to Linux Kernel 3.7 or later in order to take full advantage of kernel signing enforcement.

“Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system,” the two agencies advised.