An extra piece of malware, now named Raindrop, has been revealed in the enormous SolarWinds supply-chain attacks. It was used in targeted attacks after the effort’s initial mass Sunburst compromise, researchers explained.
The post-compromise backdoor installs Cobalt Strike to help attackers more ‘laterally’ through victim networks.
The SolarWinds espionage attack, which has affected several US govt. agencies, tech companies like Microsoft & FireEye, & many others, began with a ‘poisoned’ software update that delivered the Sunburst backdoor to around 18,000 organisations last Spring.
After that broad-brush attack, the threat players (believed to have links to Russia) selected specific targets to further infiltrating, which they did over several months. The compromises were discovered in Dec.
Researchers have identified Raindrop as one of the tools used for those follow-on attacks. It is a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks, according to Symantec analysts.
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat players have since found out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware etc.
3 Raindrop Victims
Symantec observed the malware being used on 3 different victim computers. The 1st was a high-value target, with a computer access-&-management software installed. That management software could be used to access any of the other computers in the compromised organisation.
In addition to installing Cobalt Strike, Symantec researchers also found a legitimate version of 7-Zip being used to install Directory Services Internals (DS Internals) on the computer. 7-Zip is a free & open-source file archiver, while DS Internals is a legitimate tool which can be used for querying Active Directory servers & retrieving data, typically passwords, keys, or password hashes.
In the 2nd victim, Raindrop installed Cobalt Strike & then executed PowerShell commands that were bent on installing further instances of Raindrop on additional computers in the organisation.
In a 3rd victim, Raindrop installed Cobalt Strike without a HTTP-based command-&-control server.
“It…was rather configured to use a network pipe over SMB,” according to Symantec’s analysis, released Mon. “It’s possible that in this instance, the victim computer did not have direct access to the internet, & so command-&-control was routed through another computer on the local network.”
Raindrop joins other custom malware that has been documented as being used in the attacks, including the ‘Teardrop’ tool, which researchers explained was delivered by the initial Sunburst backdoor.
Both Raindrop & Teardrop act as loaders for Cobalt Strike; &, Raindrop samples using HTTPS C2 communication follow very similar configuration patterns to Teardrop, researchers commented. However, Raindrop uses a different custom packer from Teardrop; &, Raindrop is not fetched by Sunburst directly, researchers stated.
Raindrop Malware Hides in 7-Zip.
Symantec has uncovered that Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip. The malware authors have in this case embedded an encoded payload within the 7-Zip code.
“The 7-Zip code is not utilised & is designed to hide malicious functionality added by the attackers,” the researchers explained. “Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code.”
The malicious thread 1st delays execution in an effort to evade detection. Then, to find & extract the payload, the packer uses steganography, scanning the bytes starting from the beginning of the subroutine until it finds a code that signals the start of the payload code.
According to Symantec, extracting the code “involves simply copying data from pre-determined locations that happen to correspond to immediate values of the relevant machine instructions.”
Then it decrypts & decompresses the extracted payload using with AES & LZMA algorithms, respectively, then executes the decrypted payload as shellcode.
“The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organisations of interest to the attackers,” according to the Symantec analysis.
“While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally & deploy payloads on other computers.”