HQ/EMEAFind out how we can help your business
An Iranian advanced persistent threat group uses the Drokbk spyware to bypass security detection and target United States organisations. Researchers explained that the Iranian-sponsored threat group deploys the spyware via GitHub as a dead-drop resolver to avoid security detections easily.
Based on reports, the Iranian APT is a Cobalt Mirage subgroup that attacks various United States organisations. Using dead-drop resolvers implies that attackers post content on legitimate Web services with attached malicious IP addresses and domains to hide their hostile motives.
In this instance, the Drokbk spyware operators utilise the dead-drop resolver method to locate its command-and-control server by connecting to GitHub. A report explained that the command-and-control server information is kept by the actors on a cloud service in an account that can be deterministically located by the malware.
The Drokbk spyware is coded in [.]net, composed of a payload and a dropper.
The Drokbk spyware operators commonly use the payload to install a Web shell on an infected server. Subsequently, tools are deployed by the threat group as part of the lateral expansion stage.
The Drokbk spyware first appeared last February after a data breach incident against a United States local government network. The attack started with a compromise of a VMware Horizon server utilising a couple of Log4j flaws.
An analyst stated that the group has been conducting a comprehensive scan-and-exploit campaign against Israel and the United States. Hence, numerous organisations with flawed systems are potential targets of the Drokbk operators.
In addition, the spyware gives the threat actors arbitrary remote access and persistence alongside tunnelling kits like Ngrok and FRP. The more threatening part of this malware is that it is still a mystery to many researchers since it is a new entity.
Furthermore, there might be organisations in numerous countries where the Drokbk spyware is already operating and compromising networks. Fortunately, using the GitHub platform as a dead-drop resolver is a method that cybersecurity solutions could look for in their networks since multiple threat actors and cybercriminal campaigns widely use it.
