Drokbk Malware: A Tool for COBALT MIRAGE's Cyber Arsenal
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Vulnerability Exploitation,Backdoor,Dropper
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.
|Sector||Government Agencies and Services||Verified|
Tip: 21 related IOCs (3 IP, 4 domain, 1 URL, 0 email, 13 file hash) to this threat have been found.
Source: Microsoft - April 2023
Detection (three cases): dns-iprecords[.]tk, oracle-java[.]cf, universityofmhealth[.]biz
Source: eSentire - March 2022
Detection (one case): activate-microsoft[.]cf
Source: CISA - November 2021
Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.