Iran-sponsored group using GitHub to deploy custom malware
The Secureworks Counter Threat Unit (CTU) has uncovered a subgroup of Iranian Cobalt Mirage using GitHub to store and deploy malware.
Secureworks believes a subgroup of Cobalt Mirage, known as Cluster B, is sponsored by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces.
Cluster B uses traditional spy tactics, using GitHub as a "dead drop resolver".
The group packages up command and control server location instructions, storing them in a GitHub repository.
These instructions are collected by their 'agent' on the inside, known as Drokbk, telling the malware which server to talk to next.
Rafe Pilling, Principal Researcher and thematic lead for research focused on Iran at Secureworks says using GitHub gives attackers the ability to more easily go undetected.
"The use of GitHub as a virtual dead drop helps the malware blend in," Pilling says.
"All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions."
In February, two Log4j vulnerabilities compromised a VMware Horizon server, leading Secureworks's incident responders to investigate an intrusion at a local government network in the US.
This was when the company became aware of Drokbk.
The CTU says its findings indicate Cobalt Mirage carries out broad scan-and-exploit activity against IP address ranges in the US and Israel but otherwise appears to be opportunistic, hitting a wide variety of organisations, from financial services to education-related companies.
The unit has been tracking Cobalt Mirage for some time, believing it to be a single entity.
But closer analysis has found two distinct clusters operating within the group, which Secureworks CTU has called Cluster A and Cluster B.
While these groups share some methods and even use some of the same passwords and infrastructure, the CTU notes Cluster B has a distinct set of infrastructure and TTPs that set it apart.
These include:
- Cluster B has not deployed bitlocker ransomware like Cluster A has, seeming more focused on information gathering than financial gain.
- Cluster B is more difficult to assign attribution to, making it more of a mystery and harder to track.
- Cluster B has dropped more custom tools than Cluster A.
"To date, Drokbk has kept a low profile and hasn't been documented in Open Source; so, this is the first really in-depth look at how it works under the hood," Pilling adds.
"Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunnelling tools like Fast Reverse Proxy (FRP) and Ngrok.
"Our advice to organisations is to use available controls to review and restrict access to the IP addresses, domains and URLs associated with Drokbk – which we have listed in our blog."