Drokbk is a .NET-based malware used by COBALT MIRAGE Cluster B, consisting of a dropper and a payload that primarily executes commands from a remote C2 server. The campaign uses a GitHub dead-drop resolver to locate its C2 and demonstrates persistence via a Windows service, with extensive IOCs including domains, IPs, and file hashes.
Keypoints
- Drokbk is a .NET malware package (dropper and payload) associated with COBALT MIRAGE Cluster B, used for post-intrusion persistence and remote command execution.
- The dropper creates a Windows service (SessionManagerService) to establish persistence and stores temporary files in common user directories.
- The C2 resolver uses a dead-drop technique by querying a GitHub account (Shinault23) and reading a README.md to obtain C2 server information, enabling dynamic updates.
- The campaign began with a VMware Horizon compromise exploiting Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 in February 2022.
- Drokbkβs C2 infrastructure is revealed through GitHub commit history and a list of associated domains, URLs, and IPs used between June and July 2022.
- Multiple IOCs include numerous hashes (for both Drokbk components and the Fast Reverse Proxy) and several C2 domains, IPs, and a URL used for C2.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The February intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046). ββ¦The February intrusion that Secureworks incident responders investigated began with a compromise of a VMware Horizon server using two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046β¦).β
- [T1105] Ingress Tool Transfer β Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer.sh online service. ββ¦Drokbk.exe was extracted from a compressed archive (Drokbk.zip) hosted on the legitimate transfer . sh online service.β
- [T1543.003] Create or Modify System Process: Windows Service β The dropper adds the SessionManagerService service for persistence. ββ¦the dropper adds the SessionManagerService service for persistence.β
- [T1102] Web Service β Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub). ββ¦uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub).β
- [T1583.003] Acquire Infrastructure β The C2 infrastructure is hosted in a GitHub account (Shinault23) and README.md contains C2 data, showing how attackers acquire and reuse infrastructure. ββ¦In this campaign, the threat actor used a GitHub account with the username Shinault23.β
Indicators of Compromise
- [Hash] Drokbk.exe malware β 372b1946907ab9897737799f3bc8c13100519705, e26a66bfe0da89405e25a66baad95b05, 4eb5c832ce940739d6c0eb1b4fc7a78def1dd15e
- [Hash] Drokbk.exe malware β 64f39b858c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac90f841b
- [Hash] Drokbk.exe malware β 8c8e184c280db126e6fcfcc507aea925
- [Hash] Drokbk.exe malware β aefab35127292cbe0e1d8a1a2fa7c39c9d72f2ea
- [Hash] Drokbk.exe malware β 29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e
- [Hash] Drokbk malware payload (SessionService.exe) β 14a0e5665a95714ff4951bd35eb73606, 0426f65ea5bcff9e0dc48e236bbec293380ccc43, a8e18a84898f46cd88813838f5e69f05240c4853af2aee5917dcee3a3e2a5d5a
- [Hash] Fast Reverse Proxy used by COBALT MIRAGE Cluster B β b90f05b5e705e0b0cb47f51b985f84db, 5bd0690247dc1e446916800af169270f100d089b, 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
- [Domain] C2 domains β activate-microsoft.cf, dns-iprecords.tk, oracle-java.cf
- [Domain] C2 domain β universityofmhealth.biz
- [IP] C2 IPs β 51.89.135.154, 142.44.149.199, 142.44.198.202
- [URL] C2 URL β 142.44.149.199/gsdi546gsja
Table 1. Indicators for this threat.
Read more: https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver