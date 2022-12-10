To an Iranian hacker group known as Nemesis Kitten has been attributed as responsible for a previously undocumented custom malware named Drokbk that uses GitHub as a dead drop resolver to steal data from an infected PC or to receive various types of data in general.

“Using GitHub as a virtual dead drop helps malware blend in“, has stated Rafe Pilling, Principal Investigator at Secureworks. “All traffic to GitHub is encrypted, which means technologies [software] defensive players cannot see what is being passed back and forth. And since GitHub is a legitimate service, it raises fewer questions.”

The malicious activities of the unknown perpetrator mandated (allegedly) by the Iranian government went under the radar in early February 2022, when he was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to spread ransomware.

How did you hear about Drokbk and why does it leverage Github?

Nemesis Kitten is monitored by the broader cybersecurity community under various nicknames such as TunnelVision, Cobalt Mirage, and UNC2448; it also appears to be a sub-cluster of the Phosphorus group, as Microsoft has given it the designation DEV-0270.

It also appears that this group shares tactical overlaps with another group called Cobalt Illusion (also known as APT42), a Phosphorus subgroup that has “tasked with conducting intelligence-gathering and surveillance operations against individuals and organizations of strategic interest to the Iranian government“.

Subsequent investigations into the operations of the bad actors using this notorious Drokbk uncovered two distinct types of intrusions: Cluster A, which employs BitLocker and DiskCryptor to conduct ransomware attacks designed for profit, and Cluster B, which carries out targeted raids for theft of information.

Microsoft, Google Mandiant and Secureworks have since unearthed the evidence who trace the origins of Cobalt Mirage to two companies used as a front of Iranian origin; they would be Najee Technology and Afkar System which, according to the US Treasury Department, are affiliated with the Islamic Revolutionary Guard Corps.

Drokbk, the newly identified malware, is associated with Cluster B and is written in .NET. (a Microsoft language) Deployed to automatically activate on infected devices, it consists of a dropper and a payload and is used to execute commands received from a remote server.

“The first signs of its use as a field date back to a February 2022 intrusion into a US local government network“, the cybersecurity firm said in a report.

This attack compromised a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary via a compressed ZIP archive hosted on a file transfer service.

As a tracking evasion measure, Drokbk uses a technique called dead drop resolver to determine its command and control server. The covert tactic refers to using an existing and legitimate external web service to host information pointing to an additional C2 infrastructure (as seen, in this case it’s Github).

In the series of attacks monitored by Secureworks, this is achieved by exploiting a GitHub repository controlled by an attacker that contains C2 server information within the file README.md.

“Drokbk provides threat actors [informatiche] arbitrary remote access and an additional foothold along with tunneling tools like Fast Reverse Proxy (FRP) and Ngrok“said Pilling.

If you were to meet him, how would you defend yourself?

The rules of “be careful where you click” always apply, unfortunately services like Github which are the apotheosis of IT freedom they are exploited by malicious people for purposes such as these (theft of data, credentials, remote control of devices, etc.).

In any case, always remember: there is no such thing as a ransomware attack.