Home Security Researchers Uncover New Drokbk Malware that Makes use of GitHub as a Lifeless Drop Resolver

Researchers Uncover New Drokbk Malware that Makes use of GitHub as a Lifeless Drop Resolver

by crpt os


Dec 09, 2022Ravie Lakshmanan

The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.

“The use of GitHub as a virtual dead drop helps the malware blend in,” Secureworks principal researcher Rafe Pilling said. “All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”

The Iranian government-sponsored actor’s malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.

CyberSecurity

Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It’s also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.

It is also said to share tactical overlaps with another adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup that’s “tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.”

Subsequent investigations into the adversary’s operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering.

Microsoft, Google Mandiant, and Secureworks have since unearthed evidence tracing Cobalt Mirage’s origins to two Iranian front companies Najee Technology and Afkar System that, according to the U.S. Treasury Department, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Drokbk, the newly identified malware, is associated with Cluster B and is written in .NET. Deployed post-exploitation as a form of establishing persistence, it consists of a dropper and a payload that’s used to execute commands received from a remote server.

“Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network,” the cybersecurity company said in a report shared with The Hacker News.

This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.

As a detection evasion measure, Drokbk uses a technique called dead drop resolver to determine its command-and-control (C2) server. Dead drop resolver refers to the use of a legitimate external Web service to host information that points to additional C2 infrastructure.

In this instance, this is achieved by leveraging an actor-controlled GitHub repository that hosts the information within the README.md file.

“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok,” Pilling said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex