The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
“The use of GitHub as a virtual dead drop helps the malware blend in,” Secureworks principal researcher Rafe Pilling said. “All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”
The Iranian government-sponsored actor’s malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.
Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It’s also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.
It is further said to share tactical overlaps with another adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup that’s “tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.”
images from Hacker News