Go to listing page

Drokbk Flying Under the Radar by using GitHub as Dead Drop Resolver

Drokbk Flying Under the Radar by using GitHub as Dead Drop Resolver
A subgroup of the Iranian Cobalt Mirage threat group, known as Nemesis Kitten, is using a new custom malware dubbed Drokbk, written in .NET. The group is using GitHub as a dead-drop resolver to target a variety of U.S. organizations.

How Drokbk was discovered

Secureworks researchers discovered the group conducting broad scan-and-exploit activity to target vulnerable systems in organizations in the U.S. and Israel.
  • The malware was first spotted in February in a U.S. local government network intrusion. The attackers compromised a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).
  • They embedded a malicious executable in a compressed archive hosted on the legitimate transfer .sh online service. Upon execution, the dropper created a directory, dropped the final payload, executed it, and deleted traces from the compromised system.

Diving into malware functionalities

Drokbk is a relatively unknown piece of malware and consists of a dropper and a payload.
  • It has limited built-in functionality such as installing a web shell on a compromised server. 
  • It is deployed post-intrusion, alongside other persistent access mechanisms and additional tools for the lateral expansion phase within the victim's environment.
  • It primarily executes additional commands or code from the C2 server. 
  • It provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools such as Fast Reverse Proxy (FRP) and Ngrok.


GitHub as dead drop resolver

Drokbk is using the dead drop resolver technique to find its C2 server by connecting to GitHub.
  • The final payload (SessionService.exe) begins by finding its C2 domain by searching for preconfigured information stored on a cloud service in a GitHub account.
  • The attackers posted content on a GitHub account with embedded malicious domains or IP addresses in an effort to hide their nefarious intent. The content is either preconfigured in the malware or can be deterministically located by the malware.
  • Researchers observed an attacker-operated GitHub account Shinault23 that dynamically updates its C2 server to maintain resiliency against shuttering of its GitHub account.

Conclusion

Abuse of GitHub as dead drop resolvers by Drokbk points towards the increasing interest of attackers towards using similar techniques. Organizations are recommended to invest in credential hygiene, least privileges, and network segmentation to prevent such kinds of cyber threats.
Cyware Publisher

Publisher

Cyware