Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

Dec 09, 2022Ravie Lakshmanan

The subgroup of an Iranian nation-state group known as
Nemesis Kitten has been attributed as behind a
previously undocumented custom malware dubbed Drokbk that
uses GitHub as a dead drop resolver to exfiltrate data from an
infected computer, or to receive commands.

“The use of GitHub as a virtual dead drop helps the malware
blend in,” Secureworks principal researcher Rafe Pilling said^[1]. “All the traffic to
GitHub is encrypted, meaning defensive technologies can’t see what
is being passed back and forth. And because GitHub is a legitimate
service, it raises fewer questions.”

The Iranian government-sponsored actor’s malicious activities
came under the radar earlier in February 2022, when it was observed^[2]
exploiting Log4Shell flaws^[3]
in unpatched VMware Horizon servers to deploy ransomware.

Nemesis Kitten is tracked^[4]
by the larger cybersecurity community under various monikers such
as TunnelVision, Cobalt Mirage, and UNC2448. It’s also a
sub-cluster of the Phosphorus group, with Microsoft giving it the
designation DEV-0270^[5].

It is also said to share tactical overlaps with another
adversarial collective dubbed Cobalt Illusion (aka APT42^[6]), a Phosphorus subgroup
that’s “tasked with conducting information collection and
surveillance operations against individuals and organizations of
strategic interest to the Iranian government.”

Subsequent investigations into the adversary’s operations have
uncovered^[7]
two distinct intrusion sets: Cluster A, which employs BitLocker and
DiskCryptor to conduct opportunistic ransomware attacks for
financial gain, and Cluster B, which carries out targeted break-ins
for intelligence gathering.

Microsoft, Google Mandiant, and Secureworks have since unearthed evidence^[8]
tracing Cobalt Mirage’s origins to two Iranian front companies
Najee Technology and Afkar System that, according to the U.S.
Treasury Department, are affiliated with the Islamic Revolutionary
Guard Corps (IRGC).

Drokbk, the newly identified malware, is associated with Cluster
B and is written in .NET. Deployed post-exploitation as a form of
establishing persistence, it consists of a dropper and a payload
that’s used to execute commands received from a remote server.

“Early signs of its use in the wild appeared in a February 2022
intrusion at a U.S. local government network,” the cybersecurity
company said in a report shared with The Hacker News.

This attack entailed the compromise of a VMware Horizon server
using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046^[9]), ultimately leading to
the delivery of the Drokbk binary by means of a compressed ZIP
archive hosted on a file transfer service.

As a detection evasion measure, Drokbk uses a technique called
dead drop resolver^[10] to determine its
command-and-control (C2) server. Dead drop resolver refers to the
use of a legitimate external Web service to host information that
points to additional C2 infrastructure.

In this instance, this is achieved by leveraging an
actor-controlled GitHub repository that hosts the information
within the README.md file^[11].

“Drokbk provides the threat actors with arbitrary remote access
and an additional foothold alongside tunneling tools like Fast
Reverse Proxy (FRP) and Ngrok,” Pilling said.