Drokbk Uses GitHub as Dead Drop Resolver

Threat actors from a state-backed Iranian Cobalt Mirage are using a new custom malware dubbed Drokbk to attack a variety of US organizations, using GitHub as a dead-drop resolver.

MITRE refers to this as the use of dead-drop resolvers, which refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses in an effort to hide their nefarious intent.

Drokbk, in this campaign, uses the dead-drop resolver technique to find its C2 server by connecting to GitHub.

Drokbk is written in .NET, and it’s made up of a dropper and a payload. It is used to install a web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.

According to the researchers, Drokbk surfaced in February after an intrusion at a US local government network. It begins its attack with a compromise of a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

Drokbk provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok. It’s also a relatively unknown piece of malware.

Organizations to patch Internet-facing systems, noting well-known and popular vulnerabilities such as ProxyShell and Log4Shell, have been favored by this group.

The established APT groups are expected to continue to operate against targets aligned with Iranian intelligence interests, both foreign and domestic. The increased use of hacktivist and cybercrime personas will be used as cover for both intelligence-focused and disruptive operations.

This research was documented by researchers from Secureworks

Indicators of Compromise