Read Time:1 Minute, 37 Second
After all, cats are not that cute; a group known as Nemesis Kitten has been exfiltrating data from an infected computer using a legitimate hosting service as a dead drop.
Nemesis Kitten, a subgroup of an Iranian nation-state group, has been found connected to an undocumented malware called Drokbk. The said malware leverages the legitimate GitHub as a dead drop.
For context, a dead drop takes information and files out of the general internet stream using a secret location.
Rafe Pilling, Secureworks principal, emphasised, “The use of GitHub as a virtual dead drop helps the malware blend in.”
“All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”
The nefarious operations of the Iranian government-sponsored actor first came to light in February 2022, when it was detected abusing Log4Shell weaknesses in unpatched VMware Horizon servers to deliver ransomware.
“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunnelling tools like Fast Reverse Proxy (FRP) and Ngrok,” Pilling said.
It is also alleged to have tactical overlaps with Cobalt Illusion (aka APT42), a Phosphorus subgroup tasked with conducting information collection and surveillance activities against individuals and groups of strategic relevance to the Iranian leadership.
The investigation further uncovered two intrusion sets, A and B. Cluster A conducts opportunistic ransomware assaults for financial gain using BitLocker and DiskCryptor. In contrast, Cluster B runs targeted break-ins for intelligence gathering. And, Drokbk falls under B.
Unified information from Secureworks, Google Mandiant, and Microsoft has revealed that Iranian front companies Afkar System and Najee Technology, connected with Islamic Revolutionary Guard Corps (IRGC), is where Cobalt Mirage originates.
“Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network,” according to a report published with The Hacker News by the cybersecurity firm.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
