A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed “Drokbk” to attack a variety of US organizations, using GitHub as a “dead-drop resolver.”
According to MITRE, the use of dead-drop resolvers refers to adversaries posting content on legitimate Web services with embedded malicious domains or IP addresses, in an effort to hide their nefarious intent.
In this case, Drokbk uses the dead-drop resolver technique to find its command-and-control (C2) server by connecting to GitHub.
“The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware,” the report noted.
The Drokbk malware is written in .NET, and it’s made up of a dropper and a payload.
Typically, it’s used to install a Web shell on a compromised server, after which additional tools are deployed as part of the lateral expansion phase.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.