Cybersecurity researchers have discovered a fourth new malware strain, designed to spread malware to other computers on victim networks, that was deployed as part of the SolarWinds supply chain attack disclosed late last year.
Dubbed "Raindrop" by Broadcom-owned Symantec, the malware joins other malicious implants such as Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks.
The latest finding comes amid an ongoing investigation into the breach, suspected to be of Russian origin, which has claimed several U.S. government agencies and private sector companies.
"The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks, as it provides further information about post-compromise activity at organizations of interest to the attackers," Symantec researchers said.
The cybersecurity firm said it has discovered only four Raindrop samples to date, which were used to deliver Cobalt Strike Beacon, an in-memory backdoor capable of executing commands, keylogging, file transfer, privilege escalation, port scanning, and lateral movement.
Symantec, last month, had discovered more than 2,000 systems belonging to 100 customers that received the trojanized SolarWinds Orion updates, with select targets infected with a second-stage payload called Teardrop that is also used to install Cobalt Strike Beacon.
"The way Teardrop is built, it could have dropped anything; in this case, it dropped Beacon, a payload bundled with Cobalt Strike," Check Point researchers said, noting that it was possibly done to "make attribution more difficult."
"While Teardrop was used on computers that had been infected by the original Sunburst trojan, Raindrop appeared elsewhere in the network, being used by the attackers to move laterally and deploy payloads on other machines."
It is worth noting that the attackers used the Sunspot malware exclusively against SolarWinds in September 2019 to compromise its build environment and inject the Sunburst trojan into its Orion network monitoring platform. The tainted software was delivered to 18,000 of the company's customers.
Microsoft's analysis of Solorigate's modus operandi last month found that the operators carefully chose their targets, opting to escalate attacks in only a handful of cases by deploying Teardrop based on information gathered during an initial reconnaissance of the target environment for high-value accounts and assets.
Now Raindrop ("bproxy.dll") joins the mix. While Teardrop and Raindrop both act as droppers for Cobalt Strike Beacon, they also differ in several ways.
For starters, Teardrop is delivered directly by the initial Sunburst backdoor, whereas Raindrop appears to have been deployed with the goal of spreading across the victim's network. Moreover, the malware appears on networks where at least one computer has already been compromised by Sunburst, with no indication that Sunburst triggered its installation.
The two malware strains also use different packers and Cobalt Strike configurations.
Symantec did not identify the organizations affected by Raindrop, but said the samples were found on a victim system running computer management and remote access software and on a machine that was found to be running PowerShell commands to infect additional computers in the organization with the same malware.
Source: Collaboration with ExploitWareLabs and TheHackerNews
[Cybersecurity Analyst Course](https://cobracr.com/product/cyber1/)Learn about our Cybersecurity Analyst course and dive into the world of cybercrime and how to protect organizations against attacks.
Leave a Comment
Comments are reviewed before publishing.