The hypothesis is that the detected network communication indicates the presence of Drovorub malware components, which are used for C2 and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of Azure environments.
YARA Rule
rule APT_APT28_drovorub_unique_network_comms_strings {
meta:
description = "Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based"
author = "NSA / FBI"
reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
date = "2020-08-13"
score = 75
id = "c6a930e8-c1c0-5d96-9051-7516df848b45"
strings:
$s_01 = "action" wide ascii
$s_02 = "auth.commit" wide ascii
$s_03 = "auth.hello" wide ascii
$s_04 = "auth.login" wide ascii
$s_05 = "auth.pending" wide ascii
$s_06 = "client_id" wide ascii
$s_07 = "client_login" wide ascii
$s_08 = "client_pass" wide ascii
$s_09 = "clientid" wide ascii
$s_10 = "clientkey_base64" wide ascii
$s_11 = "file_list_request" wide ascii
$s_12 = "module_list_request" wide ascii
$s_13 = "monitor" wide ascii
$s_14 = "net_list_request" wide ascii
$s_15 = "server finished" wide ascii
$s_16 = "serverid" wide ascii
$s_17 = "tunnel" wide ascii
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 17 string patterns in its detection logic.
Scenario: Legitimate use of Drovorub tools for internal monitoring
Description: A security team uses Drovorub-server and Drovorub-agent for internal network monitoring and log aggregation.
Filter/Exclusion: Check for presence of known security team IP ranges or use of specific command-line flags indicating internal use (e.g., --internal).
Scenario: Scheduled system maintenance using Drovorub-client
Description: A scheduled job runs Drovorub-client to perform system diagnostics or update configurations during off-peak hours.
Filter/Exclusion: Filter by process name or command-line arguments that indicate scheduled tasks (e.g., --schedule, --cron).
Scenario: Network discovery via Drovorub-agent for inventory purposes
Description: An admin uses Drovorub-agent to discover and inventory devices on the internal network for asset management.
Filter/Exclusion: Exclude traffic originating from known admin workstations or use of specific discovery flags (e.g., --inventory, --discover).
Scenario: Integration with SIEM tools using Drovorub-server
Description: Drovorub-server is used to forward logs to a SIEM system for centralized monitoring and alerting.
Filter/Exclusion: Filter by destination IP addresses associated with SIEM systems or use of specific log forwarding flags (e.g., --siem, --forward).
Scenario: Testing Drovorub tools in a lab environment
Description: Security engineers test Drovorub tools in a sandbox or lab environment to validate detection rules.
Filter/Exclusion: Exclude traffic from known lab IP ranges or virtual environments (e.g., --test, --sandbox).