New Malware Detected During SolarWinds Incident Investigation


Information security specialists from Symantec (a division of Broadcom) have discovered a new malware that was used by foreign-funded hackers in attacks on software developer SolarWinds.


The tool, dubbed Raindrop, is the Cobalt Strike beacon downloader. Raindrop bears a lot of similarities to the already famous Teardrop tool, but there are some key differences between the two. While Teardrop was delivered via the Sunburst backdoor, Raindrop appears to have been used to spread the victim across the network. To date, Symantec has found no evidence that Raindrop is being delivered directly through Sunburst .


The Sunburst backdoor was installed on two computer systems by one of the victims in an attack on the SolarWinds supply chain. The next day, one of these computers had Teardrop installed. A tool for querying the active directory and a credential dumper designed specifically for SolarWinds Orion databases were found on this computer.


Eleven days later, a copy of Raindrop called bproxy.dll was installed on a third victim machine in an organization that had no previous malicious activity. The computer was running software to access and control the system. Attackers could use this software to gain access to any of the computers in the compromised organization. An hour later, the Raindrop malware installed an additional file called "7z.dll". The experts were unable to obtain this file, but after a few hours, the legitimate version of 7zip was used to extract a copy of what looked like the internal components of Directory Services (DSInternals) to a computer. DSInternals is a legitimate tool for querying Active Directory servers and retrieving data, usually passwords, keys, or password hashes.


Later, the attackers installed an additional tool called mc_store.exe on this computer, which is an unknown PyInstaller application. No further activity was observed on this computer.


Raindrop is similar to Teardrop in that both malware act as downloaders for Cobalt Strike beacons. Raindrop is compiled as a DLL generated from a modified version of the 7-Zip source code.


Although both families of malware are designed to deploy Cobalt Strike beacons, there are differences in the Cobalt Strike configuration. Symantec has identified four Raindrop samples to date. In three cases, Cobalt Strike was configured to use HTTPS as the communication protocol. In the fourth, it was configured to use SMB Named Pipe as the communication protocol.


All three Raindrop patterns using HTTPS communication follow configuration patterns similar to one of the previously discovered Teardrop patterns.


Previous Post Next Post