Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver
Dec 09, 2022
Malware / Iranian Hackers
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said . "All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions." The Iranian government-sponsored actor's malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware. Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It's also a sub-clus