SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Advanced Persistent Threat Protection
#
App development
#
APM
Iran-sponsored group using GitHub to deploy custom malware
Tue, 13th Dec 2022
FYI, this story is more than a year old
Author image
By Zach Thompson, News Editor
Follow us

The Secureworks Counter Threat Unit (CTU) has uncovered a subgroup of Iranian Cobalt Mirage using GitHub to store and deploy malware.

Secureworks believes a subgroup of Cobalt Mirage, known as Cluster B, is sponsored by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces.

Cluster B uses traditional spy tactics, using GitHub as a “dead drop resolver”.

The group packages up command and control server location instructions, storing them in a GitHub repository.

These instructions are collected by their ‘agent’ on the inside, known as Drokbk, telling the malware which server to talk to next.

Rafe Pilling, Principal Researcher and thematic lead for research focused on Iran at Secureworks says using GitHub gives attackers the ability to more easily go undetected.

“The use of GitHub as a virtual dead drop helps the malware blend in,” Pilling says.

“All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”

In February, two Log4j vulnerabilities compromised a VMware Horizon server, leading Secureworks’s incident responders to investigate an intrusion at a local government network in the US.

This was when the company became aware of Drokbk.

The CTU says its findings indicate Cobalt Mirage carries out broad scan-and-exploit activity against IP address ranges in the US and Israel but otherwise appears to be opportunistic, hitting a wide variety of organisations, from financial services to education-related companies.

The unit has been tracking Cobalt Mirage for some time, believing it to be a single entity.

But closer analysis has found two distinct clusters operating within the group, which Secureworks CTU has called Cluster A and Cluster B.

While these groups share some methods and even use some of the same passwords and infrastructure, the CTU notes Cluster B has a distinct set of infrastructure and TTPs that set it apart.

These include:

  • Cluster B has not deployed bitlocker ransomware like Cluster A has, seeming more focused on information gathering than financial gain.
  • Cluster B is more difficult to assign attribution to, making it more of a mystery and harder to track.
  • Cluster B has dropped more custom tools than Cluster A.

“To date, Drokbk has kept a low profile and hasn’t been documented in Open Source; so, this is the first really in-depth look at how it works under the hood,” Pilling adds.

“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunnelling tools like Fast Reverse Proxy (FRP) and Ngrok.

“Our advice to organisations is to use available controls to review and restrict access to the IP addresses, domains and URLs associated with Drokbk – which we have listed in our blog.”

Related stories
Keeper Security launches user-friendly passphrase generator
Understanding the key to boosting cybersecurity habits: Kaspersky study
How attackers target security blind spots: Three real-life lessons from the SOC
Kaspersky illuminates LockBit ransomware group's advanced tactics
Absolute Security focuses on cyber resilience in company rebrand
Top stories
Coalition integrates cyber risk platform with top cloud services providers
i-PRO to support Genetec SaaS with new AI-enabled camera models
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Business leaders anxious over data security – report