Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
Show in Graph
Image Description
Common Information
Type Value
UUID 5744a7f1-1802-4d9e-8c1a-98a44b4525ce
Fingerprint 479d42b197787b191c832cee87b20dc402c6abbc9f14f0146fcdb50d5e1e4c13
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 13, 2020, 6:58 a.m.
Added to db March 10, 2024, 1:56 a.m.
Last updated Aug. 31, 2024, 8:13 a.m.
Headline Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
Title Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware
Detected Hints/Tags/Attributes 140/3/54
Source URLs
Redirection Url
Details Source https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
URL Provider
Details Provider Source level domain
Details defense.gov media.defense.gov
Attributes
Details Type #Events CTI Value
Details Domain 29 
nsa.gov
Details Domain 2 
session.id
Details Domain 1 
open.fail
Details Domain 89 
vol.py
Details Domain 111 
www.justice.gov
Details Domain 2 
editor.org
Details Domain 35 
blackhat.com
Details Domain 34 
msrc-blog.microsoft.com
Details Domain 2 
apps.nsa.gov
Details Domain 25 
www.nsa.gov
Details Domain 2 
dni.gov
Details Domain 12 
www.dni.gov
Details Domain 66 
www.washingtonpost.com
Details Email 14 
cybersecurity_requests@nsa.gov
Details Email 14 
mediarelations@nsa.gov
Details File 115 
auth.log
Details File 1 
auth.pas
Details File 85 
vol.py
Details File 12 
strings.exe
Details File 1 
mem_strings.txt
Details File 1 
rfc6455.txt
Details File 1 
supply-chain-attacks.pdf
Details File 1 
modules-on-linux-operating-systems.cfm
Details File 1 
strategies.pdf
Details File 1 
ica_2017_01.pdf
Details md5 1 
d6c08982dc56bdb63d8603a44c73a2b0
Details md5 1 
dda34761124699ee2c58c8af62218262
Details sha1 1 
e8424a4de6c57f238305c06a33e241542c099283
Details sha1 1 
5f3f954dd33ae5ac6e19038cf3797754f5a94375
Details sha1 1 
a541a27adf5673d53ff2db8adc7608b071fbcd31
Details sha1 1 
9a8b64bcb7156e49f7b82087d3fbabaae18013aa
Details sha256 1 
330af64e5df4bf442564910664a5fe8b7a114a02e315d1ea28c78d6874903965
Details IPv4 3 
82.118.242.171
Details IPv4 2 
185.86.149.125
Details IPv4 3 
192.168.57.100
Details IPv4 56 
192.168.1.2
Details IPv4 2 
192.168.57.200
Details IPv4 1 
192.168.57.25
Details MITRE ATT&CK Techniques 444 
T1071
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 86 
T1059.004
Details MITRE ATT&CK Techniques 152 
T1090
Details MITRE ATT&CK Techniques 41 
T1014
Details Threat Actor Identifier - APT 783 
APT28
Details Url 1 
https://www.justice.gov/usao-wdpa/pr/us-attorney-brady-
Details Url 2 
https://www.rfc
Details Url 1 
https://i.blackhat.com/usa-19/thursday/us-19-doerr-the-enemy-within-modern-
Details Url 2 
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-
Details Url 1 
https://apps.nsa.gov/iaarchive/library/reports/securing-kernel-
Details Url 2 
https://www.nsa.gov/portals/70/documents/what-we-
Details Url 1 
https://www.dni.gov/files/documents/ica_2017_01.pdf
Details Url 1 
https://www.washingtonpost.com/news/politics/wp/2018/07/13/timeline-how-russian-
Details Yara rule 1 
rule drovorub_library_and_unique_strings {
	meta:
		description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client 
binaries based on unique strings and strings indicating statically linked libraries."
	strings:
		$s1 = "Poco" ascii wide
		$s2 = "Json" ascii wide
		$s3 = "OpenSSL" ascii wide
		$a1 = "clientid" ascii wide
		$a2 = "-----BEGIN" ascii wide
		$a3 = "-----END" ascii wide
		$a4 = "tunnel" ascii wide
	condition:
		(filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*))
}
Details Yara rule 1 
rule drovorub_kernel_module_unique_strings {
	meta:
		description = "Rule detects the Drovorub-kernel module based on unique strings."
	strings:
		$s_01 = "/proc" ascii wide
		$s_02 = "/proc/net/packet" ascii wide
		$s_03 = "/proc/net/raw" ascii wide
		$s_04 = "/proc/net/tcp" ascii wide
		$s_05 = "/proc/net/tcp6" ascii wide
		$s_06 = "/proc/net/udp" ascii wide
		$s_07 = "/proc/net/udp6" ascii wide
		$s_08 = "cs02" ascii wide
		$s_09 = "do_fork" ascii wide
		$s_10 = "es01" ascii wide
		$s_11 = "g001" ascii wide
		$s_12 = "g002" ascii wide
		$s_13 = "i001" ascii wide
		$s_14 = "i002" ascii wide
		$s_15 = "i003" ascii wide
		$s_16 = "i004" ascii wide
		$s_17 = "module" ascii wide
		$s_18 = "sc!^2a" ascii wide
		$s_19 = "sysfs" ascii wide
		$s_20 = "tr01" ascii wide
		$s_21 = "tr02" ascii wide
		$s_22 = "tr03" ascii wide
		$s_23 = "tr04" ascii wide
		$s_24 = "tr05" ascii wide
		$s_25 = "tr06" ascii wide
		$s_26 = "tr07" ascii wide
		$s_27 = "tr08" ascii wide
		$s_28 = "tr09" ascii wide
	condition:
		all of them
}