The subgroup of an Iranian nation-state group often known as Nemesis Kitten has been attributed as behind a beforehand undocumented customized malware dubbed Drokbk that makes use of GitHub as a lifeless drop resolver to exfiltrate information from an contaminated laptop, or to obtain instructions.
“Using GitHub as a digital lifeless drop helps the malware mix in,” Secureworks principal researcher Rafe Pilling stated. “All of the site visitors to GitHub is encrypted, that means defensive applied sciences cannot see what’s being handed forwards and backwards. And since GitHub is a professional service, it raises fewer questions.”
The Iranian government-sponsored actor’s malicious actions got here underneath the radar earlier in February 2022, when it was noticed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.
Nemesis Kitten is tracked by the bigger cybersecurity group underneath varied monikers akin to TunnelVision, Cobalt Mirage, and UNC2448. It is also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.
It’s additional stated to share tactical overlaps with one other adversarial collective dubbed Cobalt Phantasm (aka APT42), a Phosphorus subgroup that is “tasked with conducting data assortment and surveillance operations in opposition to people and organizations of strategic curiosity to the Iranian authorities.”
Subsequent investigations into the adversary’s operations have uncovered two distinct intrusion units: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware assaults for monetary acquire, and Cluster B, which carries out focused break-ins for intelligence gathering.
Microsoft, Google Mandiant, and Secureworks have since unearthed proof tracing Cobalt Mirage’s origins to 2 Iranian entrance corporations Najee Know-how and Afkar System that, in response to the U.S. Treasury Division, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Drokbk, the newly recognized malware, is related to Cluster B and is written in .NET. Deployed post-exploitation as a type of establishing persistence, it consists of a dropper and a payload that is used to execute instructions acquired from a distant server.
“Early indicators of its use within the wild appeared in a February 2022 intrusion at a U.S. native authorities community,” the cybersecurity firm stated in a report shared with The Hacker Information.
This assault entailed the compromise of a VMware Horizon server utilizing the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), in the end resulting in the supply of the Drokbk binary by way of a compressed ZIP archive hosted on a file switch service.
As a detection evasion measure, Drokbk employs a way referred to as lifeless drop resolver to find out its command-and-control (C2) server. The covert tactic refers to using an present, professional exterior internet service to host data that factors to extra C2 infrastructure.
Within the assault chain noticed by Secureworks, that is achieved by leveraging an actor-controlled GitHub repository that accommodates the C2 server data inside the README.md file.
“Drokbk offers the menace actors with arbitrary distant entry and a further foothold alongside tunneling instruments like Quick Reverse Proxy (FRP) and Ngrok,” Pilling stated.
