Research Report

Fidelis Threat Advisory #1021: The Turbo campaign, featuring Derusbi for 64-bit Linux

In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part of a campaign we’ve labeled Turbo, for the associated kernel module that was deployed. Derusbi has been widely covered and associated with Chinese threat actors. This malware has been reported to have been used in high-profile incidents like the ones involvingWellpoint/Anthem, USIS and Mitsubishi Heavy Industries. These incidents have ranged from simple targeting to reported breaches. Every one of these campaigns involved a Windows version of Derusbi.

While we’ve analyzed many common variants of Derusbi, this one got our attention because this is a 64-bit Linux variant of Derusbi, the only such sample we have observed in our datasets as well as in public repositories. To our knowledge, no analysis of such malware has been made publicly available.

Key Findings

  • Both the malware and kernel module demonstrate cloaking and anti-analysis techniques. While they mimic techniques observed in Windows tools used by APT in some respects, the use in the Linux environment has forced new and sometimes unique implementations.
  • This Derusbi sample shares command and control (C2) infrastructure with PlugX samples targeting Windows systems seen in public repositories. It is our understanding that these tools were used in conjunction in the campaign.
  • The Derusbi sample has command and control patterns that precisely match those observed with the Windows samples. This will allow for reuse of command and control platforms for intrusions involving both Windows and Linux samples.
  • We believe the binary was recompiled on the same day it was installed, with the kernel module rebuilt to precisely match the configuration on the target system. This suggests the active participation of developers with the team conducting the operation. This is distinct from the workflow associated with the more mature APT tools, where builders for tools like PlugX, Sakula and Derusbi are assumed to be available to multiple actor sets who are likely simply users of these tools.
  • The active participation of developers is further substantiated by the use of the Turbo Linux kernel module, which was clearly compiled for the precise Linux version running on the target system.

Analysis

A number of anti-forensics techniques must be bypassed in order to determine the true capabilities of this sample. Two techniques used to hamper forensic analysis include the ability to run as a memory-resident memory module to prevent file-based detection of the Linux Kernel Module on the localhost and the ability to cleanly remove it from disk.

This 64-bit Linux variant of Derusbi shares many of the common capabilities provided by a typical remote access tool, including directory and file operations, command execution and remote access.  Additionally, obfuscation capabilities, such as timestomping and process hiding, make this sample even more interesting and difficult to analyze.

It is important to note that it would take significant effort to replicate the capabilities of the Windows version into the Linux version. This indicates an investment by the adversary to gain additional footholds within a victim’s infrastructure. By adding 64-bit Linux servers and clients to their target list it is evident that advanced threat actors continue to add to their capabilities. Enterprises worldwide have been investing in Windows-based detection and remediation platforms for many years now. Linux is widely used in the datacenter and for hosting critical applications and databases. The use of such malware instantly bypasses entire classes of commercial, Windows-only security products, thus opening up significant new exposures for enterprises.