Iranian threat group using GitHub as a dead drop.

Secureworks Counter Threat Unit researchers investigated the Drokbk malware, found to be operated by a subgroup of Iran’s government-sponsored COBALT MIRAGE threat group, known as Cluster B.

Drokbk malware, alongside other persistence tools.

The Drokbk malware was detected in use as early as February of this year in an intrusion targeting a local US government network. It was found that the COBALT MIRAGE threat group prioritizes remote access via the Fast Reverse Proxy (FRPC) tool; while subgroup Cluster A prefers a modified version of the tool, known as TunnelFish, Cluster B prefers to leave the tool unmodified.

How Drokbk malware works.

The malware uses GitHub as a dead drop resolver to locate its command and control (C2) infrastructure. GitHub allows for these threat actors to fly under the radar more easily. “The use of Github as a virtual dead drop helps the malware blend in,” says Secureworks’ Principal Researcher and thematic lead for research focused on Iran, Rafe Pilling, in a media release. “All the traffic to Github is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because Github is a legitimate service, it raises fewer questions.” This technique is also interesting, as it is unusual for Iranian malware, and represents a departure from past Iranian practice.