Iranian APT Targets US With Drokbk Spyware via GitHub

  /     /     /  
Publicated : 23/11/2024   Category : security


Iranian APT Targets US With Drokbk Spyware via GitHub


The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a dead-drop resolver to more easily evade detection.



A

subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed Drokbk to attack a variety of US organizations, using GitHub as a dead-drop resolver.
According to
MITRE
, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.
In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.
The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware, the report noted.
The Drokbk malware is written in .NET, and its made up of a dropper and a payload.
Typically, its used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.
According to the
report
from the Secureworks Counter Threat Unit (CTU), Drokbk surfaced in February after an intrusion at a US local government network. That attack began with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (
CVE-2021-44228
and
CVE-2021-45046
).
This group has been observed conducting broad scan-and-exploit activity against the US and Israel, so in that sense any organization with vulnerable systems on their perimeter are potential targets, says Rafe Pilling, Secureworks principal researcher and thematic lead for Iran.
He explains Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. Its also a relatively unknown piece of malware.
There may be organizations out there with this running on their networks right now, undetected, he adds.
Fortunately, using GitHub as a dead-drop resolver is a technique that cyber defenders can look for on their networks.
Defenders might not be able to view TLS-encrypted traffic flows, but they can see which URLs are being requested and look for unusual or unexpected connections to GitHub APIs from their systems, Pilling notes.
The dead-drop resolver technique provides a degree of flexibility to malware operators, allowing them to update their C2 infrastructure and still maintain connectivity with their malware.
It also helps the malware blend in by making use of a legitimate service, Pilling says.
Pilling advises organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell have been favored by this group.
In general, this group and others will quickly adopt the latest network vulnerabilities that have reliable exploit code, so having that robust patching process in place is key, he says.
He also recommends organizations hunt through security telemetry for the indicators provided in the report to detect Cobalt Mirage intrusions, ensure an antivirus solution is widely deployed and up to date, and deploy EDR and XDR solutions to provide comprehensive visibility across networks and cloud systems.
The CTU also noted Cobalt Mirage appears to have two distinct groups operating within the organization, which Secureworks has labeled Cluster A and Cluster B.
The initial similarity in tradecraft resulted in the creation of a single group, but over time and multiple incident-response engagements we found we had two distinct clusters of activity, Pilling explains.
Going forward, the established groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. He adds that the increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.
Email and social media-based phishing are preferred methods, and we may see some incremental improvement in sophistication, he explains.
In a joint advisory issued Nov. 17, cybersecurity agencies in the United States, United Kingdom, and Australia warned attacks from groups linked to Iran are
on the rise
. Cobalt Mirage is hardly on its own.
Over the last two years weve seen multiple group personas emerge — Moses Staff, Abrahams Ax, Hackers of Savior, Homeland Justice, to name a few — primarily targeting Israel, but more recently Albania and Saudi Arabia, conducting hack-and-leak style attacks combined with information operations, Pilling says.
The US Treasury Department has already
moved to sanction the Iranian government
for its cybercrime activities, which the department alleges have been carried out in systematic fashion against US targets via a range of advanced persistent threat (APT) groups.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Iranian APT Targets US With Drokbk Spyware via GitHub