Tag Archive for: Raindrop

‘Raindrop’ Is Latest Malware Tied to SolarWinds Hack


3rd Party Risk Management
,
Cybercrime
,
Forensics

Researchers: Backdoor Is Fourth Malware Variant Used During Attacks

'Raindrop' Is Latest Malware Tied to SolarWinds Hack
An timeline illustrating a Raindrop infection (Source: Symantec Threat Intelligence )

Symantec Threat Intelligence says it has uncovered another malware variant used in the SolarWinds supply chain hack – a loader nicknamed “Raindrop” that apparently was used to deliver Cobalt Strike, a legitimate penetration testing tool, to a handful of targets.

See Also: Roundtable Wrap: Cybersecurity Over Next 4 Years


Raindrop is the fourth malware variant identified as being used during the attack that targeted SolarWinds’ Orion network monitoring software. The others are Teardrop, Sunspot and Sunburst.

Symantec says Raindrop is similar to the already documented second-stage loader Teardrop, although they have several key differences.

“While Teardrop was delivered by the initial Sunburst backdoor, Raindrop appears to have been used for spreading across the victim’s network,” the Symantec report states.

Symantec researchers say they’ve detected no evidence that Raindrop is delivered directly by Sunburst. Raindrop appears elsewhere on networks where at least one device had already been compromised by Sunburst.

The SolarWinds supply chain attack that started in March 2020 involved placing the…

Source…

SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader


The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

  • Sunspot, the initial malware used to inject backdoors into the Orion platform builds
  • Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
  •  Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
  • Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level..

 

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers…

Source…