Share this article on:
A new custom malware being used by an Iranian-backed hacking group has been discovered by researchers of Secureworks Counter Threat Unit.
The malware, known as Drokbk, is used by Cluster B, a subgroup of Iranian Cobalt Mirage which is sponsored by the Islamic Revolutionary Guard Corps (IRGC).
Cobalt Mirage was first thought to be a single group, however, Secureworks analysis has unveiled two subgroups — Cluster A and Cluster B. The two groups do share some methods, passwords and infrastructure, but vary in terms of other TTPs. Cluster B seems more focused on information collection, while Cluster A is more set on financial gain.
Cluster B has been using GitHub to distribute Drokbk, which makes use of a dropper and a payload. Once the business has already been breached, the group uploads command and control server location instructions to a GitHub repository. Drokbk then instructs the malware on which server to communicate with.
Drokbk on its own has rather limited functionality, but by executing malware on the command and control server, it becomes rather effective while also maintaining a low profile.
“The use of GitHub as a virtual dead drop helps the malware blend in,” says Secureworks principal researcher and the lead on Iran-related research, Rafe Pilling.
“All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”
Having had an eye on Cobalt Mirage for some time, Drokbk was first discovered by Secureworks in February, where it was used following a breach of a US local government network.
“To date, Drokbk has kept a low profile and hasn’t been documented in Open Source, so, this is the first really in-depth look at how it works under the hood,” adds Pilling.
“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunnelling tools like Fast Reverse Proxy (FRP) and Ngrok.
“Our advice to organisations is to use available controls to review and restrict access to the IP addresses, domains and URLs associated with Drokbk — which we have listed in our blog.”