An Iranian threat group that performs both cyber espionage and financially motivated attacks has been using a piece of malware called Drokbk as part of recent intrusions that rely on GitHub as a dead-drop resolver to communicate new information to infected machines.
Drokbk has been seen in intrusions for the last few months, typically after a threat actor has exploited the Log4Shell vulnerability in VMware Horizon servers. Researchers at Secureworks have been tracking attacks by the threat actor known as Cobalt Mirage that deploy Drokbk after initially exploiting the Log4Shell flaws in Horizon servers, including an intrusion in February at a local government in the United States. Drokbk comprises two main components, a dropper and the main payload, and is used by a specific subgroup of Cobalt Mirage known as cluster B.
“The malware has limited built-in functionality and primarily executes additional commands or code from the command and control (C2) server. Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network,” a new Secureworks Counter Threat Unit [report] (https://secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver) says.
“SessionService.exe is the main malware payload, and it begins by finding its C2 domain. A C2 domain is often preconfigured in malware. However, Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub). The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware. The binary uses the GitHub API to search for the 'mainrepositorytogeta' repository. This code identifies the specific GitHub account and the request used to locate the malware's C2 server. The response is stored within the README.md file hosted on the GitHub account. In this campaign, the threat actor used a GitHub account with the username Shinault23.”
The campaign using this technique likely began in June, as that’s when the first commit to the GitHub repository occurred. Over the next few weeks, the Cobalt Mirage actors changed the C2 domain several different times and many of the domains had been used in other campaigns by Cobalt Mirage cluster B.
Cobalt Mirage is a relatively new threat actor that started operating in early 2021. The group is known to use the BitLocker ransomware and often goes after organizations in the U.S., Israel, and Europe. The actor often exploits known vulnerabilities such as Log4Shell and ProxyShell for initial access is linked to the Iranian military.