Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

Home/BOTNET, Compromised, Exploitation, infostealer, Internet Security, IOC's, malicious cyber actors, Malware, Security Advisory, Security Update/Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

Secureworks Counter Threat Unit (CTU) researchers are investigating the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group.

Drokbk Malware

The Drokbk malware was detected in use as early as February of this year in an intrusion targeting a local US government network. It was found that the COBALT MIRAGE threat group prioritizes remote access via the Fast Reverse Proxy (FRPC) tool.

How Drokbk Malware is deployed

COBALT MIRAGE’s preferred form of remote access uses the Fast Reverse Proxy (FRPC) tool. While COBALT MIRAGE Cluster A uses a modified version of this tool known as TunnelFish, Cluster B favors the unaltered version. The only public mention of Drokbk.exe is in a March third-party report describing activity that exhibits signs of a Cluster B intrusion. In that instance, the malware used the C2 domain activate-microsoft . cf, which is known to be associated with Cluster B.

  • The Drokbk dropper checks for the existence of the c:\programdata\SoftwareDistribution directory and creates the directory if it does not exist.
  • The dropper then writes all bytes from an internal resource to c:\users\public\pla. This is a temporary step; the extracted file (pla) is then copied to c:\programdata\SoftwareDistribution\SessionService.exe.
  • Using this newly created file, the dropper adds the SessionManagerService service for persistence. Finally, the dropper deletes c:\users\public\pla. Figure 1 illustrates the installation process. 

SessionService.exe is the main malware payload, and it begins by finding its C2 domain. A C2 domain is often preconfigured in malware. However, Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub). 

“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok,” Pilling said.


SHA1 hashDrokbk.exe malware
e26a66bfe0da89405e25a66baad95b05MD5 hashDrokbk.exe malware
SHA1 hashDrokbk.exe malware
SHA256 hashDrokbk.exe malware
8c8e184c280db126e6fcfcc507aea925MD5 hashDrokbk.exe malware
SHA1 hashDrokbk.exe malware
SHA256 hashDrokbk.exe malware
14a0e5665a95714ff4951bd35eb73606MD5 hashDrokbk malware payload (SessionService.exe)
SHA1 hashDrokbk malware payload (SessionService.exe)
SHA256 hashDrokbk malware payload (SessionService.exe)
b90f05b5e705e0b0cb47f51b985f84dbMD5 hashFast Reverse Proxy used by COBALT MIRAGE Cluster B
SHA1 hashFast Reverse Proxy used by COBALT MIRAGE Cluster B
SHA256 hashFast Reverse Proxy used by COBALT MIRAGE Cluster B
activate-microsoft.cfDomain nameDrokbk C2 server
dns-iprecords.tkDomain nameDrokbk C2 server
oracle-java.cfDomain nameDrokbk C2 server addressHosts COBALT MIRAGE domain ( addressDrokbk C2 server C2 server
universityofmhealth.bizDomain nameDrokbk C2 server addressDrokbk C2 server

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!