Hacker News new | ask | show | jobs
by rodionos 2134 days ago
> The Drovorub-server uses a MySQL database to manage the connecting Drovorub-client(s) and Drovorub-agent(s).

This assumes the NSA was able to infiltrate the Drovorub C2 server, I guess.
3 comments
enkid 2134 days ago
They have the server software. There's a couple ways they could get it. 1.) They could have hacked the C2 server or a development network, like you are talking about. 2.) The server could be forward deployed to a cloud provider or other infrastructure and law enforcement served a subpoena for a copy of the cloud server. The second seems just as likely as the first.
link
newacct583 2134 days ago
Or they could have just bought a copy from a compromised developer. Real world spying happens a lot too.
link
enkid 2134 days ago
Yeah, there's a lot of other ways they could have gotten it.
link
dclusin 2134 days ago
Not necessarily. You could probably infer it from a MySQL client in the malware itself and the queries its making to tables and such.
link
enkid 2134 days ago
They know specific commands and configurations for the "drobovur-server" which is the "Command and Control (C2) Server." This makes me think they have the actual server software and probably some sort of operational deployment.
link
FDSGSG 2134 days ago
That sounds reaaally unlikely. If the malware shipped a mysql client the NSA would definitely be able to pop the mysql server it connects to.
link
stevehawk 2134 days ago
the point wasnt whether or not they could or did. the point was that it could be inferred based on what sql client the malware client was using without ever touching the sever.
link
FDSGSG 2134 days ago
It is extraordinarily unlikely that the malware would ship with a mysql client or talk mysql with the C2

If it does, that's an easy claim to prove.

link
enkid 2134 days ago
Read the document. They have the server software. They have configuration files for the server, they know how it processes communication, they know how it generates UUID's. They have the server software.
link
dclusin 2134 days ago
Why RTFA when I can make baseless speculations? :D
link
valgaze 2134 days ago
This is the NSA doc: https://www.nsa.gov/Portals/70/documents/resources/cybersecu...
link
ECA_stax 2134 days ago
link is broken now.
link
anonymfus 2134 days ago
https://web.archive.org/web/20200821171042/https://www.nsa.g...
link