Research from Secureworks Counter Threat Unit (CTU), has exposed the inner workings of a new custom malware, Drokbk. The malware is associated with a subgroup of Iranian COBALT MIRAGE – known as Cluster B – which is thought to be sponsored by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces.
Mirroring traditional spy tradecraft, Cluster B has been using Github as a ‘dead drop resolver’. The group packages up command and control server location instructions, which it then stores in a Github repository. These instructions are then collected by its ‘agent’ on the inside – Drokbk – telling the malware which server to talk to next.
The use of Github enables the attackers to evade detection more easily, said Secureworks’ Principal Researcher and thematic lead for research focused on Iran, Rafe Pilling: “The use of Github as a virtual dead drop helps the malware blend in. All the traffic to Github is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because Github is a legitimate service, it raises fewer questions.”
Secureworks first noted the use of Drokbk in February, when its incident responders investigated an intrusion at a local government network in the US, which began with a compromise of a VMWare Horizon server, using two Log4j vulnerabilities. The group conducts broad scan-and-exploit activity against IP address ranges in the US and Israel but otherwise appear to be opportunistic, hitting a wide variety of organisations, from financial services to education-related companies.Click below to share this article