The Turbo Campaign, Featuring Derusbi for 64-bit Linux

Executive Summary

In the summer of 2015, Fidelis Cybersecurity had the opportunity to analyze a Derusbi malware sample used as part of a campaign we’ve labeled Turbo, for the associated kernel module that was deployed. Derusbi has been widely covered and associated with Chinese threat actors. This malware has been reported to have been used in high profile incidents like the ones involving Wellpoint/Anthem, USIS and Mitsubishi Heavy Industries. These incidents have ranged from simple targeting to reported breaches. Every one of these campaigns involved a Windows version of Derusbi. While we’ve analyzed many common variants of Derusbi, this one got our attention because it’s a Linux variant. A few items make the tools used in this campaign special:

  • This is a 64-bit Linux variant of Derusbi, the only such sample we have observed in our datasets as well as in public repositories. To our knowledge, no analysis of such malware has been made publicly available.
  • We retrieved and analyzed a 64-bit Linux kernel module that was dropped by Derusbi. We’re calling this module Turbo.
  • Both the malware and kernel module demonstrate cloaking and anti-analysis techniques. While they mimic techniques observed in Windows tools used by APT in some respects, the use in the Linux environment has forced new and sometimes unique implementations.
  • This Derusbi sample shares command-and-control infrastructure with PlugX samples targeting Windows systems seen in public repositories. It is our understanding that these tools were used in conjunction in the campaign.
  • The Derusbi sample has command and control (C2) patterns that precisely match those observed with the Windows samples. This will allow for reuse of command and control platforms for intrusions involving both Windows and Linux samples.
  • In this incident, we believe that the binary was recompiled on the same day it was installed with the kernel module rebuilt to precisely match the configuration on the target system, potentially indicating the active participation of developers with the team conducting the operation. This is distinct from the workflow associated with the more mature APT tools, where builders for tools like PlugX, Sakula and Derusbi are assumed to be available to multiple actor sets who are likely simply users of these tools.
  • The active participation of developers is further substantiated by the use of the Turbo Linux Kernel Module, which was clearly compiled for the precise Linux version running on the target system.

Related on Threat Geek:

Download Full Threat Advisory