Breach, Data Security, Malware, Threat Management

Fourth SolarWinds malware strain shows diversity of tactics

Researchers have found a fourth strain of malware – Raindrop – that was used in the SolarWinds supply chain attack, a loader similar to the Teardrop tool.

But while Teardrop was delivered by the original Sunburst backdoor in early July 2020, Raindrop was used just under two weeks later for spreading laterally across the victim’s network, Symantec said in a report.

“The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers,” Symantec researchers wrote on the heels of the revelation of third strain – Sunspot – disclosed Jan. 11 by Crowdstrike. “While Teardrop was used on computers that had been infected by the original Sunburst trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers.”

Raindrop and Teardrop are similar in that both act as a loader for the Cobalt Strike. However, Raindrop uses a custom packer to pack Cobalt Strike that differs from the one used by Teardrop. Raindrop has been compiled as a DLL built from a modified version of 7-zip source code.

Based on the report from Symantec, Brandon Hoffman, chief information security officer at Netenrich, said the Raindrop version of malware was slightly customized depending on the victim environment. Like Teardrop, it hides as a version of 7-zip and, as with most other malware, comes in a DLL format.

“There’s a great set of published findings on what this malware does along with protection mechanisms,” Hoffman said. “Organizations concerned that they may have been Sunburst victims should run these additional detections and spend time understanding the researchers publications on customized components of Raindrop.”

The discovery of this fourth malware strain further supports the assessment that the threat actors responsible for the SolarWinds compromise are likely a highly capable and resourceful nation-state-associated threat group, according to Ivan Righi, cyber threat intelligence analyst at Digital Shadows.

“Considering the sophistication demonstrated by the threat actors, who left little forensic evidence and took extensive steps to cover their tracks, it is realistically possible that more malware strains may have been used in the attack which have not yet been identified,” Righi said. “Few cyber incidents have gotten this much attention and postmortem analysis. This will likely result in more malware strains being discovered and reported as more of the scope of the attack is revealed. Organizations directly affected by the SolarWinds incident should utilize the indicators of compromise and Yara rules provided by Symantec to identify any traces of the Raindrop malware within their networks.”

The discovery of a fourth strain also shows the attackers will use an incredible diversity in tools and tactics to create a beachhead, said Jeff Barker, vice president of product marketing at Illusive Networks. In addition to investigation/remediation activities, he said, organizations need to start operating and planning as if beachheads are inevitable and focus more on detecting and preventing the attacker activities after the beachhead has been established.

“It's way too easy for attackers to harvest credentials, move laterally, and escalate privileges once they're inside,” Barker said. “Developing, and investing in, an Active Defense strategy to preemptively clean up credential and pathway information, reduces the attack surface and forces detections by transforming endpoints into a network of deceptions, necessary to create an environment that is hostile to attacker activities once they've established a beachhead.”

Despite the realities of the threat landscape, Derek Manky, chief of security insights and global threat alliances at Fortinet’s FortiGuardLabs, said organizations can still get ahead of these types of attacks.

“A security architecture that incorporates segmentation, which reduces a company’s attack surface by essentially sealing off workloads from the rest of the network, can prevent cyberattackers from gaining access to the wider system,” Manky said. “A solid segmentation strategy means that malware and compromised systems will be contained to a specific section of the network. By taking this step, organizations can also isolate intellectual property and personal data to keep that information secure in the case of a successful attack.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.