The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
“The use of GitHub as a virtual dead drop helps the malware blend in,” Secureworks principal researcher Rafe Pilling said. “All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”
The Iranian government-sponsored actor’s malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.
Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It’s also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.
It is also said to share tactical overlaps with another adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup that’s “tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.”
Subsequent investigations into the adversary’s operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering.
Microsoft, Google Mandiant, and Secureworks have since unearthed evidence tracing Cobalt Mirage’s origins to two Iranian front companies Najee Technology and Afkar System that, according to the U.S. Treasury Department, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Drokbk, the newly identified malware, is associated with Cluster B and is written in .NET. Deployed post-exploitation as a form of establishing persistence, it consists of a dropper and a payload that’s used to execute commands received from a remote server.
“Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network,” the cybersecurity company said in a report shared with The Hacker News.
This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.
As a detection evasion measure, Drokbk uses a technique called dead drop resolver to determine its command-and-control (C2) server. Dead drop resolver refers to the use of a legitimate external Web service to host information that points to additional C2 infrastructure.
In this instance, this is achieved by leveraging an actor-controlled GitHub repository that hosts the information within the README.md file.
“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok,” Pilling said.