Threats Feed|Cobalt Mirage|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date09/12/2022

Drokbk Malware: A Tool for COBALT MIRAGE's Cyber Arsenal

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Dropper
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionUnited States
Verified

Extracted IOCs

  • activate-microsoft[.]cf
  • dns-iprecords[.]tk
  • oracle-java[.]cf
  • universityofmhealth[.]biz
  • 14a0e5665a95714ff4951bd35eb73606
  • 8c8e184c280db126e6fcfcc507aea925
  • b90f05b5e705e0b0cb47f51b985f84db
  • e26a66bfe0da89405e25a66baad95b05
  • 0426f65ea5bcff9e0dc48e236bbec293380ccc43
  • 372b1946907ab9897737799f3bc8c13100519705
  • 4eb5c832ce940739d6c0eb1b4fc7a78def1dd15e
  • 5bd0690247dc1e446916800af169270f100d089b
  • aefab35127292cbe0e1d8a1a2fa7c39c9d72f2ea
  • 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
  • 29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e
  • 64f39b858c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac90f841b
  • a8e18a84898f46cd88813838f5e69f05240c4853af2aee5917dcee3a3e2a5d5a
  • 142[.]44.149.199
  • 142[.]44.198.202
  • 51[.]89.135.154
  • 142[.]44.149.199/gsdi546gsja
download

Tip: 21 related IOCs (3 IP, 4 domain, 1 URL, 0 email, 13 file hash) to this threat have been found.

Overlaps

Mint SandstormMint Sandstorm Subgroup Targets US Critical Infrastructure

Source: Microsoft - April 2023

Detection (three cases): dns-iprecords[.]tk, oracle-java[.]cf, universityofmhealth[.]biz

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

TunnelVisionTunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers

Source: eSentire - March 2022

Detection (one case): activate-microsoft[.]cf

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.