The in-depth inspection of the SolarWinds breach revealed the fourth piece of malicious software connected to this historical incident. According to the infosec experts, the new threat, dubbed Raindrop, is a Cobalt Strike downloader. It was applied in the post-compromise phase of attack to enhance lateral movement across a selected number of targeted networks.
Raindrop promotes the count of SolarWinds custom malware to four, with Sunburst, Sunspot, and Teardrop already in the spotlight. The research reveals that Raindrop has a lot in common with Teardrop, being, in fact, its malicious sibling. Nevertheless, the delivery methods and payload composition differ, distinguishing Raindrop as a separate instance.
To explain Raindrop’s function in the SolarWinds epoch-making incident, we should review the attack timeline. The intrusion started in spring 2019 after adversaries — presumably, Russia-affiliated — infected the SolarWinds internal network with Sunspot malware. In particular, Sunspot was applied to interfere with the SolarWinds Orion development process and insert Sunburst code into the latest software versions. These malicious Orion releases were pushed with regular vendor’s updates in March-June 2020. As a result, over 18,000 customers got infected with Sunburst backdoor, allowing hackers to penetrate networks of such big-name vendors like FireEye, Microsoft, and the US government institutions. Notably, hackers escalated their network access only in separate instances, utilizing Teardrop and Raindrop for this purpose.
While Teardrop was pushed directly by Sunburst backdoor, the infection method for Raindrop remains unknown. Still, Raindrop popped up only on those networks where at least one device was compromised with Sunburst. Security analysts suggest that Raindrop infection might be a result of Sunburst activity to run undefined PowerShell payloads. However, such a connection remains unconfirmed.
Upon installation, Raindrop operators applied a customized version of the 7-Zip source code to compile the malware as a DLL file. However, 7-Zip was implemented only as a cover, while Raindrop payload was installed via a custom packer. This packer is designed to delay the execution for evasion purposes and apply steganography for payload extraction.
Similarly to Teardrop, SolarWinds hackers used Raindrop to enhance their lateral movement capabilities during the post-compromise phase. However, in the Raindrop case, threat actors were more selective. Researchers identified only four vendors being targeted with this strain. In all cases, Raindrop pushed the Cobalt Strike payload. In three instances, Cobalt Strike Beacon relied on HTTPS to communicate with its command-and-control (C2) server. However, in the last situation, it was arranged to communicate over SMB Named Pipe, probably because the internet connection was absent on the compromised PC.
Notably, while Teardrop and Raindrop being almost identical, they have slight differences in configuration. In particular, the distinctions include payload format, embedding, encryption, compression mechanisms, as well as obfuscation and export names.
Since the malware stayed under the radar for a long time and applied effective evasion techniques, researchers advise all organizations possibly affected in SolarWinds hack to run additional scans for Raindrop infection. SOC Prime team developed a dedicated Sigma rule to enhance proactive Raindrop detection:
Raindrop Malware Patterns [related to SolarWinds attack] (via sysmon)
On January 22, 2021, our Threat Bounty developer Emir Erdogan released a second rule to contribute to the Raindrop detection. Check the new content to stay safe!
Raindrop Malware (via rundll32)
The rules have translations to the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness
EDR: Carbon Black
Tactics: Lateral Movement
Techniques: Remote Services (T1021)
Check more rules related to SolarWinds compromise in our blog articles dedicated to FireEye breach, SUNBURST overview, and SUPERNOVA analysis.
Get a subscription to the Threat Detection Marketplace to reduce the meantime of cyber-attack detection with our 90,000+ SOC content library. The content base enriches every day to detect the most alarming cyber threats at the earliest stages of the attack lifecycle. Have a desire to create your own curated content? Join our Threat Bounty community for a safer future!