Security experts from Symantec revealed that threat actors behind the SolarWinds supply chain attack leveraged a malware named Raindrop for lateral movement and deploying additional payloads.
Raindrop is the fourth malware that was discovered investigating the SolarWinds attack after the SUNSPOT backdoor, the Sunburst/Solorigate backdoor and the Teardrop tool.
Raindrop (Backdoor.Raindrop) is a loader that was used by attackers to deliver a Cobalt Strike payload. Raindrop is similar to the Teardrop tool, but while the latter was delivered by the initial Sunburst backdoor, the former was used for spreading across the victim’s network.
“Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.” reads a blog post published by Symantec.
Symantec investigated four Raindrop infections until today, the malware was employed in the last phases of the attacks against a very few selected targets.
Both Raindrop and Teardrop are used to deploy Cobalt Strike Beacon, but they use different packers and different Cobalt Strike configurations.
“To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol.” continues the post.
“All three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in one Teardrop sample.”
In the following tables there are key differences between the two tools:
TEARDROP | RAINDROP | ||
---|---|---|---|
PAYLOAD FORMAT | Custom, reusing features from PE format. It may be possible to reuse the packer with a range of different payloads supplied as PE DLLs with automatic conversion. | Shellcode only. | |
PAYLOAD EMBEDDING | Binary blob in data section. | Steganography, stored at pre-determined locations within the machine code. | |
PAYLOAD ENCRYPTION | visualDecrypt combined with XOR using long key. | AES layer before decompression; separate XOR layer using one byte key after decompression. | |
PAYLOAD COMPRESSION | None. | LZMA. | |
OBFUSCATION | Reading JPEG file. Inserted blocks of junk code, some could be generated using a polymorphic engine. | Non-functional code to delay execution. | |
EXPORT NAMES | Export names vary, in some cases names overlapping with Tcl/Tk projects. | Export names overlap with Tcl/Tk projects. | |
STOLEN CODE | Byte-copy of machine code from pre-existing third-party components. The original code is distributed in compiled format only. | Recompiled third-party source code. |
The report published by Symantec includes IoCs and Yara Rules.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, SolarWinds)
[adrotate banner=”5″]
[adrotate banner=”13″]