• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers uncover new drokbk malware that uses github as a

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

You are here: Home / General Cyber Security News / Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver
December 9, 2022

The subgroup of an Iranian nation-point out team recognized as Nemesis Kitten has been attributed as driving a previously undocumented customized malware dubbed Drokbk that utilizes GitHub as a dead fall resolver to exfiltrate details from an contaminated laptop, or to acquire commands.

“The use of GitHub as a digital useless drop helps the malware blend in,” Secureworks principal researcher Rafe Pilling stated. “All the site visitors to GitHub is encrypted, indicating defensive systems can not see what is getting handed back again and forth. And for the reason that GitHub is a genuine company, it raises much less questions.”

The Iranian govt-sponsored actor’s malicious pursuits came below the radar before in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


CyberSecurity

Nemesis Kitten is tracked by the much larger cybersecurity neighborhood below numerous monikers these types of as TunnelVision, Cobalt Mirage, and UNC2448. It really is also a sub-cluster of the Phosphorus group, with Microsoft offering it the designation DEV-0270.

It is also explained to share tactical overlaps with one more adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup which is “tasked with conducting information and facts collection and surveillance operations towards people today and businesses of strategic desire to the Iranian government.”

Subsequent investigations into the adversary’s operations have uncovered two distinctive intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to carry out opportunistic ransomware attacks for monetary acquire, and Cluster B, which carries out specific break-ins for intelligence gathering.

Microsoft, Google Mandiant, and Secureworks have since unearthed proof tracing Cobalt Mirage’s origins to two Iranian entrance corporations Najee Technology and Afkar System that, in accordance to the U.S. Treasury Office, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Drokbk, the newly identified malware, is related with Cluster B and is published in .NET. Deployed article-exploitation as a kind of setting up persistence, it consists of a dropper and a payload which is utilised to execute instructions obtained from a remote server.

“Early symptoms of its use in the wild appeared in a February 2022 intrusion at a U.S. community governing administration network,” the cybersecurity company claimed in a report shared with The Hacker News.

This attack entailed the compromise of a VMware Horizon server applying the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), in the end main to the delivery of the Drokbk binary by signifies of a compressed ZIP archive hosted on a file transfer assistance.

As a detection evasion measure, Drokbk takes advantage of a procedure identified as dead drop resolver to determine its command-and-management (C2) server. Lifeless drop resolver refers to the use of a legitimate external Web services to host info that details to additional C2 infrastructure.

In this instance, this is accomplished by leveraging an actor-controlled GitHub repository that hosts the facts within just the README.md file.

“Drokbk gives the danger actors with arbitrary distant accessibility and an added foothold together with tunneling resources like Quickly Reverse Proxy (FRP) and Ngrok,” Pilling said.

Uncovered this article exciting? Adhere to us on Twitter  and LinkedIn to read a lot more exclusive material we put up.


Some components of this short article are sourced from:
thehackernews.com

Previous Post: «embattled medibank faces 48 hour outage as cyber security upgrade begins Embattled Medibank faces 48-hour outage as cyber security upgrade begins
Next Post: IT Pro News in Review: Beds in Twitter HQ spark investigation, Defra’s legacy software problem, Stack Overflow bans ChatGPT it pro news in review: beds in twitter hq spark»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.