"Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver"

Nemesis Kitten, a subgroup of an Iranian nation-state group, has been linked to Drokbk. This previously undocumented custom malware uses GitHub as a dead drop resolver to exfiltrate data from infected computers or to receive commands. According to Secureworks principal researcher Rafe Pilling, using GitHub as a virtual dead drop helps the malware blend in. Since all traffic to GitHub is encrypted, defensive technologies cannot see what is being exchanged. Furthermore, because GitHub is a legitimate service, it raises fewer concerns. The malicious activities of the Iranian government-sponsored actor first came to light in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware. The larger cybersecurity community has identified Nemesis Kitten as TunnelVision, Cobalt Mirage, and UNC2448. It is also a sub-cluster of the Phosphorus group, with the Microsoft ID DEV-0270. It is also said to have tactical overlaps with Cobalt Illusion, also known as APT42, a Phosphorus subgroup that conducts information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. This article continues to discuss the Nemesis Kitten nation-state group's use of the new Drokbk malware. 

THN reports "Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver"