Drokbk Flying Under the Radar by using GitHub as Dead Drop Resolver

How Drokbk was discovered

• The malware was first spotted in February in a U.S. local government network intrusion. The attackers compromised a VMware Horizon server using the two Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046).
• They embedded a malicious executable in a compressed archive hosted on the legitimate transfer .sh online service. Upon execution, the dropper created a directory, dropped the final payload, executed it, and deleted traces from the compromised system.

Diving into malware functionalities

• It has limited built-in functionality such as installing a web shell on a compromised server. 
• It is deployed post-intrusion, alongside other persistent access mechanisms and additional tools for the lateral expansion phase within the victim's environment.
• It primarily executes additional commands or code from the C2 server. 
• It provides the threat actors with arbitrary remote access and an additional foothold, alongside tunneling tools such as Fast Reverse Proxy (FRP) and Ngrok.

GitHub as dead drop resolver

• The final payload (SessionService.exe) begins by finding its C2 domain by searching for preconfigured information stored on a cloud service in a GitHub account.
• The attackers posted content on a GitHub account with embedded malicious domains or IP addresses in an effort to hide their nefarious intent. The content is either preconfigured in the malware or can be deterministically located by the malware.
• Researchers observed an attacker-operated GitHub account Shinault23 that dynamically updates its C2 server to maintain resiliency against shuttering of its GitHub account.

Conclusion