Local governments allegedly targeted with Iranian ‘Drokbk’ malware through Log4j vulnerability

The networks of several local governments in the U.S. have been targeted with the Drokbk malware, allegedly wielded by Iranian government-backed groups exploiting the Log4j vulnerability.

Researchers with Secureworks Counter Threat Unit said on Friday that Iranian threat group Cobalt Mirage – which other researchers call Nemesis Kitten or UNC2448 – has been actively looking to exploit U.S. networks in a campaign that began in February. 

The group uses the Drokbk malware to maintain their access in a victim’s network, according to Rafe Pilling, principal security researcher for Secureworks.

Secureworks noted that about a month ago, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about an Iranian advanced persistent threat (APT) group that accessed the server of a federal agency by exploiting the Log4j vulnerability.

Secureworks said that even though CISA did not name the group at the time, they believe the same actors were also targeting local governments in the U.S., as well as organizations in the finance and education industries. 

“However, target selection by Cobalt Mirage is likely opportunistic driven by presence of vulnerabilities that the group are using. i.e. Log4j vulnerabilities in VMware Horizon (CVE-2021-44228),” the researchers said. 

One thing that stood out to the researchers is the fact that the Drokbk malware uses a technique considered unusual for Iranian malware involving GitHub to obtain its command and control infrastructure.

Secureworks researchers first found evidence of Drokbk malware in February and said it is typically used after the group has already infiltrated a network.

“The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046),” they said. 

“Forensic artifacts indicated Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer.sh online service. This code identifies the specific GitHub account and the request used to locate the malware's C2 server [command and control]. In this campaign, the threat actor used a GitHub account with the username Shinault23.”

The researchers noted that this tactic gives the group resiliency against the shutting down of its GitHub accounts because, in that instance, they can simply create a new account with a matching repository name.

The report comes one day after cybersecurity firm Deep Instinct released its own report about a long-running campaign by MuddyWater – a cyber espionage group they believe works within Iran's Ministry of Intelligence and Security. 

The firm uncovered a campaign running since at least 2017 where the group targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.

The report focuses on a recent spearphishing campaign targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan and the United Arab Emirates.

The spearphishing emails began at the end of 2021 and continued through this fall. 

In September, CISA worked with cyber agencies at several allied nations to release a technical advisory about the tactics used by the hackers in a number of incidents, noting that they have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. 

“The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations,” CISA said.