
image credit: pixabay
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
“The use of GitHub as a virtual dead drop helps the malware blend in,” Secureworks principal researcher Rafe Pilling said. “All the traffic to GitHub is encrypted, meaning defensive technologies can’t see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions.”