Skip to main content

Iran-sponsored group using GitHub to deploy custom malware

posted onDecember 13, 2022
by l33tdawg
Wikipedia
Credit: Wikipedia

The Secureworks Counter Threat Unit (CTU) has uncovered a subgroup of Iranian Cobalt Mirage using GitHub to store and deploy malware.

Secureworks believes a subgroup of Cobalt Mirage, known as Cluster B, is sponsored by the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces. Cluster B uses traditional spy tactics, using GitHub as a “dead drop resolver”.

The group packages up command and control server location instructions, storing them in a GitHub repository. These instructions are collected by their ‘agent’ on the inside, known as Drokbk, telling the malware which server to talk to next. Rafe Pilling, Principal Researcher and thematic lead for research focused on Iran at Secureworks says using GitHub gives attackers the ability to more easily go undetected.

Source

Tags

Industry News

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th