raindrop timeline

Raindrop – Fourth SolarWinds malware

Continuous analysis of SolarWinds supply chain attacks revealed a fourth malicious tool, which the researchers call Raindrop, and is used for distribution among computers on the victim network.

Hackers used Raindrop to send Cobalt Strike beacons to select interested victims who have been compromised by the Trojan’s SolarWinds Orion update.

Currently, four types of malware have been discovered in the SolarWinds network attack, which are believed to be the work of Russian threat actors :

  • Sunspot is the malware originally used to inject backdoors into the Orion platform
  • Sunburst (Solorigate), the malware implanted in the Orion update has been distributed to thousands of SolarWinds customers
  •   Sunburst deploys customized Cobalt Strike beacons to the Teardrop post-development tools provided by specific victims
  • Raindrop, newly discovered malware, similar to Teardrop

Disguised as a 7-Zip file to load cobalt strike

Symantec researchers discovered the new Raindrop malware on computers damaged by the SolarWinds cyber attack. They noticed that it implements the same functions as Teardrop, but it is different in terms of deployment mechanism and code level.

raindropteardropdiff

In order to hide malicious functions, hackers use a modified version of the 7-Zip source code to compile Raindrop into a DLL file. The 7 zip code is only used as a cover because it is not used in any way.

Among a victim who installed a Trojan horse platform in early July 2020, Symantec discovered that teardrops were produced through Sunburst the next day. The researchers said that the raindrops appeared on another host of the organization 11 days later, and no malicious activity was found on the host.

At present, it is still a mystery how Raindrop eventually fell into the victim network. Symantec did not see evidence that Sunburst directly delivered Raindrop, but it exists in “at least one computer elsewhere in the network where Sunburst has been compromised.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed to try to spread the malware to other systems. The cybersecurity company Volexity also reported when investigating the SolarWinds  that hackers used PowerShell for lateral movement activities by creating new tasks on remote computers .

Symantec has seen four samples of new malware, all of which provide Cobalt Strike beacons. In the three cases, the payload is configured to convey HTTPS. In the last case, communication is via SMB named pipes, which may be because the computer cannot access the Internet and another computer on the network is used for command and control.

Symantec discovered that Raindrop adds another part to the SolarWinds supply chain attack problem. It reveals another aspect of the operation, providing defenders and investigators with new ways to explore their efforts to clean up the affected network.

IOCs

SHA256DESCRIPTION
f2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418astdrvx64.dll & sddc.dll (Raindrop)
be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725bproxy.dll (Raindrop)
955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3cbs.dll (Raindrop)
N/ATelemetry.Settings.dll (Likely Raindrop)
N/AenUS.Media.dll (Likely Raindrop)
N/ATelemetryStatus.dll (Likely Raindrop)
240ef5b8392b8c7a5a025c36a7e5b0e03e5bb0d0d1a28703bb22e6159a4fd10emc_store.exe (Unknown)
f2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418panhardware[.]com
955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3\\.\pipe\protected_storage[REDACTED]
be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725bigtopweb[.]com