'Raindrop' Is Latest Malware Tied to SolarWinds HackResearchers: Backdoor Is Fourth Malware Variant Used During Attacks
Symantec Threat Intelligence says it has uncovered another malware variant used in the SolarWinds supply chain hack - a loader nicknamed "Raindrop" that apparently was used to deliver Cobalt Strike, a legitimate penetration testing tool, to a handful of targets.
Raindrop is the fourth malware variant identified as being used during the attack that targeted SolarWinds’ Orion network monitoring software. The others are Teardrop, Sunspot and Sunburst.
Symantec says Raindrop is similar to the already documented second-stage loader Teardrop, although they have several key differences.
"While Teardrop was delivered by the initial Sunburst backdoor, Raindrop appears to have been used for spreading across the victim's network," the Symantec report states.
Symantec researchers say they’ve detected no evidence that Raindrop is delivered directly by Sunburst. Raindrop appears elsewhere on networks where at least one device had already been compromised by Sunburst.
The SolarWinds supply chain attack that started in March 2020 involved placing the Sunburst backdoor in the Orion platform so it was downloaded when users updated the software (see: Severe SolarWinds Hacking: 250 Organizations Affected? ).
While about 18,000 organizations downloaded the infected software, a few hundred, including government agencies and tech firms, apparently were targeted for follow-on attacks.
U.S. intelligence agencies say the attack appears to be a Russian-backed espionage operation.
Raindrop and Teardrop both act as a loader for the legitimate penetration testing tool Cobalt Strike, which is used to escalate an attack, Symantec says.
Raindrop, compiled as a Dynamic Link Library, is built from a modified version of the 7-Zip source code, which is intended to help obfuscate the malware, the researchers say.
When the Raindrop DLL is loaded, its first action is to start a new thread from the DllMain subroutine that executes the malicious code. The startup procedure includes completing computation that delays the malware's activation and finds and retrieves the payload that is included in the 7-Zip machine code, Symantec says.
The Raindrop malware conducts the following actions:
- Extracts the encoded payload. This involves copying data from predetermined locations that correspond to immediate values of the relevant machine instructions.
- Decrypts the extracted payload. This uses the AES algorithm in CBC mode.
- Decompresses the decrypted payload. This uses the LZMA algorithm.
- Decrypts the decompressed payload. This is a simple XOR with a byte key and does not affect the compression ratio.
- Executes the decrypted payload as shellcode.
Not Widely Used
So far, Symantec has found Raindrop on only four victims’ systems. Its report describes three of those cases.
In a May 2020 incident, Raindrop was installed in a file called astdrvx64.dll, according to the report. The malware then lay dormant until early June 2020, when PowerShell commands were executed that tried to spread Teardrop onto additional computers in that organization. Teardrop is the data-exfiltrating malware that was downloaded onto some of the victims.
In a July 2020 incident, Sunburst was injected into an organization's network during a SolarWinds' Orion update, immediately compromising two devices, according to the report.
The following day, one of the devices was infected with Raindrop. The device contained an Active Directory query tool and a credential dumper designed to work with SolarWinds databases. The credential dumper found was similar to the open-source Solarflare credential dumper.
Raindrop installed a malicious file named 7z.dll on the device, according to Symantec.
"We were unable to retrieve this file. However, within hours, a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals onto the computer," Symantec wrote.
In a third incident, Symantec researchers extracted Cobalt Strike from another Raindrop victim. Researchers say it did not have an associated command-and-control server but was configured to use a network pipe over the Server Message Block protocol.
"It's possible that in this instance, the victim computer did not have direct access to the internet, and so command and control was routed through another computer on the local network," Symantec says.