Iranian hackers start bookmarking GitHub
The Iranian cybercriminal group Cobalt Mirage has started laying bookmarks for future attacks. Let me remind you that the criminals are connected with the Iranian government. To attack American government resources, hackers began using the Drokb software. Dead Drop uses GitHub as a stash.
Dead Drop Resolver Technique
The bottom line is that hackers place content on official and legitimate Internet pages into which they enter malicious domains and IP addresses. Thus, they mask their real intentions.
There is no C&C-server address in the code itself. Instead, the program directly accesses the material posted on the pages of the public service. After that, certain characters are read. This line, at first glance, seems meaningless, devoid of logic. But for hackers, these symbols have an important meaning. The read malicious string is the key to open the next stage of the hack.
The program is written in .NET. It consists of a payload and a dropper. With its help, a web shell is installed on a discredited server. After that, a lateral movement is carried out, during which additional tools are launched.
The Secureworks Counter Threat Unit experts point out that Dead Drop provides attackers with remote access and an additional direction for attack. It is carried out in conjunction with the Fast Reverse Proxy and Ngrok tunneling tools. At the moment, this technique is not fully understood.
Protection methods
CTU recommends the following protective measures:
regularly fix systems simultaneously with the exit from the Internet (this is due to the fact that the criminal group uses the ProxyShell and Log4Shell vulnerabilities);
look for indicators of compromise (this is necessary in order to detect a hacker attack in a timely manner);
maintain the efficiency and relevance of anti-virus software;
regularly run EDR and XDR solutions for a complete analysis of the state of networks and cloud systems.
Previously, experts have already encountered attacks by the Cobalt Mirage group on the resources of the United States, Israel, Europe and Australia. Hackers mainly use 2 sets of attack tools. The first includes a complex that includes ransomware and official, legal tools. Purpose: ransom. The second set is used to obtain confidential information.
Do not neglect the installation of additional protection for your equipment. Better to be safe. Rather than become a victim of intruders. Who is aware is armed.
Thank you for sharing together here.