A subgroup of the Iran-based Cobalt Mirage threat group has been observed leveraging Drokbk malware to achieve persistence on victims’ systems.
The claims come from Secureworks Counter Threat Unit (CTU) researchers, who shared an advisory about Drokbk with Infosecurity before publication.
According to the security team, the attacks come from Cobalt Mirage’s subgroup, Cluster B. Drokbk’s malicious code had been written in .NET and comprised of a dropper and a payload.
“The malware has limited built-in functionality and primarily executes additional commands or code from the command and control (C2) server,” reads the advisory.
“Early signs of its use in the wild appeared in a February 2022 intrusion at a US local government network. A Drokbk malware sample was not available from that incident for analysis, but CTU researchers later discovered samples uploaded to the VirusTotal analysis service.”
The security researchers added that Drokbk is deployed after the initial intrusion, alongside other access mechanisms, as an additional form of persistence within the victim’s environment.
“Cobalt Mirage’s preferred form of remote access uses the Fast Reverse Proxy (FRPC) tool. While Cobalt Mirage Cluster A uses a modified version of this tool known as TunnelFish, Cluster B favors the unaltered version.”
Secureworks further explained that Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub).
“We’ve seen a similar technique deployed digitally by Cluster B – in this case, GitHub is the bench,” explained Rafe Pilling, principal researcher and Iran thematic lead at Secureworks.
“Because Github encrypts traffic, defensive technologies can’t see what’s being requested from repositories, making it the perfect space for Cluster B to pass Drokbk the location of command-and-control servers to communicate with.”
Pilling also told Infosecurity that, as it’s a legitimate service used by many organizations, Github’s unlikely to raise any concerns for security teams, allowing Drokbk to hide in plain sight.
“This makes it very difficult for organizations to detect Drokbk, but something to look out for is increased Github API requests from unexpected sources, which is a tell-tale sign that they might have been infected by Drokbk.”
To mitigate exposure to Drokbk, CTU researchers recommended that companies use available controls to review and restrict access using the indicators listed in the advisory, which is now publicly available.
Its publication comes months after the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI claimed to have discovered state-backed Iranian threat actors hiding inside an Albanian government network for 14 months.