Secureworks Counter Threat Unit (CTU) researchers are investigating the Drokbk malware, which is operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group.
Drokbk Malware
The Drokbk malware was detected in use as early as February of this year in an intrusion targeting a local US government network. It was found that the COBALT MIRAGE threat group prioritizes remote access via the Fast Reverse Proxy (FRPC) tool.
How Drokbk Malware is deployed
COBALT MIRAGE’s preferred form of remote access uses the Fast Reverse Proxy (FRPC) tool. While COBALT MIRAGE Cluster A uses a modified version of this tool known as TunnelFish, Cluster B favors the unaltered version. The only public mention of Drokbk.exe is in a March third-party report describing activity that exhibits signs of a Cluster B intrusion. In that instance, the malware used the C2 domain activate-microsoft . cf, which is known to be associated with Cluster B.
- The Drokbk dropper checks for the existence of the c:\programdata\SoftwareDistribution directory and creates the directory if it does not exist.
- The dropper then writes all bytes from an internal resource to c:\users\public\pla. This is a temporary step; the extracted file (pla) is then copied to c:\programdata\SoftwareDistribution\SessionService.exe.
- Using this newly created file, the dropper adds the SessionManagerService service for persistence. Finally, the dropper deletes c:\users\public\pla. Figure 1 illustrates the installation process.
SessionService.exe is the main malware payload, and it begins by finding its C2 domain. A C2 domain is often preconfigured in malware. However, Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub).
“Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok,” Pilling said.
IOCS
| Indicator | Type | Context |
|---|---|---|
| 372b1946907ab9897737799f3bc8c131 00519705 | SHA1 hash | Drokbk.exe malware |
| e26a66bfe0da89405e25a66baad95b05 | MD5 hash | Drokbk.exe malware |
| 4eb5c832ce940739d6c0eb1b4fc7a78d ef1dd15e | SHA1 hash | Drokbk.exe malware |
| 64f39b858c1d784df1ca8eb895ac7eaf 47bf39acf008ed4ae27a796ac90f841b | SHA256 hash | Drokbk.exe malware |
| 8c8e184c280db126e6fcfcc507aea925 | MD5 hash | Drokbk.exe malware |
| aefab35127292cbe0e1d8a1a2fa7c39c 9d72f2ea | SHA1 hash | Drokbk.exe malware |
| 29dc4cae5f08c215d57893483b5b42cb 00a2d0e7d8361cda9feeaf515f8b5d9e | SHA256 hash | Drokbk.exe malware |
| 14a0e5665a95714ff4951bd35eb73606 | MD5 hash | Drokbk malware payload (SessionService.exe) |
| 0426f65ea5bcff9e0dc48e236bbec293 380ccc43 | SHA1 hash | Drokbk malware payload (SessionService.exe) |
| a8e18a84898f46cd88813838f5e69f05 240c4853af2aee5917dcee3a3e2a5d5a | SHA256 hash | Drokbk malware payload (SessionService.exe) |
| b90f05b5e705e0b0cb47f51b985f84db | MD5 hash | Fast Reverse Proxy used by COBALT MIRAGE Cluster B |
| 5bd0690247dc1e446916800af169270f 100d089b | SHA1 hash | Fast Reverse Proxy used by COBALT MIRAGE Cluster B |
| 28332bdbfaeb8333dad5ada3c10819a1 a015db9106d5e8a74beaaf03797511aa | SHA256 hash | Fast Reverse Proxy used by COBALT MIRAGE Cluster B |
| activate-microsoft.cf | Domain name | Drokbk C2 server |
| dns-iprecords.tk | Domain name | Drokbk C2 server |
| oracle-java.cf | Domain name | Drokbk C2 server |
| 51.89.135.154 | IP address | Hosts COBALT MIRAGE domain (oracle-java.cf) |
| 142.44.149.199 | IP address | Drokbk C2 server |
| 142.44.149.199/gsdi546gsja | URL | Drokbk C2 server |
| universityofmhealth.biz | Domain name | Drokbk C2 server |
| 142.44.198.202 | IP address | Drokbk C2 server |
Leave A Comment