Threats Feed|Cobalt Mirage|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date09/12/2022

Drokbk Malware: A Tool for COBALT MIRAGE's Cyber Arsenal

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Dropper
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The COBALT MIRAGE threat group is using Drokbk malware to target U.S. local government networks. The malware, written in .NET, consists of a dropper and a payload, with limited built-in functionality, primarily executing additional commands from the command and control (C2) server. The February 2022 intrusion began with a compromise of a VMware Horizon server using two Log4j vulnerabilities. Drokbk is deployed post-intrusion alongside other access mechanisms, such as Fast Reverse Proxy (FRPC) tool, for persistence within the victim's environment.

Detected Targets

SectorGovernment Agencies and Services
RegionUnited States

Extracted IOCs

  • activate-microsoft[.]cf
  • dns-iprecords[.]tk
  • oracle-java[.]cf
  • universityofmhealth[.]biz
  • 14a0e5665a95714ff4951bd35eb73606
  • 8c8e184c280db126e6fcfcc507aea925
  • b90f05b5e705e0b0cb47f51b985f84db
  • e26a66bfe0da89405e25a66baad95b05
  • 0426f65ea5bcff9e0dc48e236bbec293380ccc43
  • 372b1946907ab9897737799f3bc8c13100519705
  • 4eb5c832ce940739d6c0eb1b4fc7a78def1dd15e
  • 5bd0690247dc1e446916800af169270f100d089b
  • aefab35127292cbe0e1d8a1a2fa7c39c9d72f2ea
  • 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
  • 29dc4cae5f08c215d57893483b5b42cb00a2d0e7d8361cda9feeaf515f8b5d9e
  • 64f39b858c1d784df1ca8eb895ac7eaf47bf39acf008ed4ae27a796ac90f841b
  • a8e18a84898f46cd88813838f5e69f05240c4853af2aee5917dcee3a3e2a5d5a
  • 142[.]44.149.199
  • 142[.]44.198.202
  • 51[.]89.135.154
  • 142[.]44.149.199/gsdi546gsja

Tip: 21 related IOCs (3 IP, 4 domain, 1 URL, 0 email, 13 file hash) to this threat have been found.


Mint SandstormMint Sandstorm Subgroup Targets US Critical Infrastructure

Source: Microsoft - April 2023

Detection (three cases): dns-iprecords[.]tk, oracle-java[.]cf, universityofmhealth[.]biz

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

TunnelVisionTunnelVision Threat Actor Exploits Log4Shell Vulnerability in VMware Horizon Servers

Source: eSentire - March 2022

Detection (one case): activate-microsoft[.]cf

UnknownIranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

Source: CISA - November 2021

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.