National Security Agency and US Federal Bureau of Investigation , according to which the 85th main center of special service (85 GTSSS GRU) uses a complex of malicious software called "Drovorub". Woodcutter includes a rootkit in the form of a Linux kernel module, a tool for transferring files and redirecting network ports, and a control server. The client side can download and upload files, execute arbitrary commands as the root user, and forward network ports to other network nodes.
The Woodcutter control center receives the path to the configuration file in JSON format as a command line argument:
{
"db_host" : " ",
"db_port" : " ",
"db_db" : " ",
"db_user" : " ",
"db_password" : " ",
"lport" : " ",
"lhost" : " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"phrase" : " »
}
MySQL DBMS is used as a backend. The WebSocket protocol is used to connect clients.
The client has built-in configuration, including the server's URL, its RSA public key, username, and password. After installing the rootkit, the configuration is saved as a text file in JSON format, which is hidden from the system by the Woodcutter kernel module:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"key": "Y2xpZW50a2V5"
}
Here "id" is a unique identifier issued by the server, in which the last 48 bits correspond to the MAC address of the server's network interface. The default "key" parameter is the base64 encoded "clientkey" string that is used by the server during the initial handshake. In addition, the configuration file may contain information about hidden files, modules, and network ports:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"monitor" : {
"file" : [
{
"active" : "true",
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"module" : [
{
"active" : "true",
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"net" : [
{
"active" : "true",
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"port" : "12345",
"protocol" : "tcp"
}
] }
}
Another component of Woodcutter is an agent, its configuration file contains information for connecting to the server:
{
"client_login" : "user123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :"45122",
"server_uri" :"/ws"
}
The "clientid" and "clientkey_base64" fields are initially absent, they are added after the initial registration on the server.
After installation, the following operations are performed:
- a kernel module is loaded that registers hooks for system calls;
- the client registers with the kernel module;
- the kernel module hides the running client process and its executable on disk.
A pseudo-device, such as /dev/zero, is used to interact with the client with the kernel module. The kernel module parses all data written to the device, and sends a SIGUSR1 signal to the client for transmission in the opposite direction, after which it reads data from the same device.
To detect Woodcutter, you can use network traffic analysis using NIDS (malicious network activity in the infected system itself cannot be detected, since the kernel module hides the network sockets it uses, netfilter rules, and packets that could be intercepted by raw sockets). On a system where Woodcutter is installed, you can detect a kernel module by sending it a command to hide a file:
touch test file
echo "ASDFZXCV:hf:testfile" > /dev/zero
ls
The created file "testfile" becomes invisible.
Other detection methods include memory and disk content analysis. To prevent infection, it is recommended to use mandatory verification of the kernel and module signatures, available starting from the linux kernel version 3.7.
The report contains Snort rules for detecting Woodcutter network activity and Yara rules for detecting its components.
Recall that 85 GTSSS GRU (military unit 26165) is associated with the group responsible for numerous cyberattacks.
Source: opennet.ru