Sunday, February 9, 2025
HomeCyber Security NewsNew Malware Discovered in SolarWinds Attack that Used 7-Zip Code to Hide

New Malware Discovered in SolarWinds Attack that Used 7-Zip Code to Hide

Published on

SIEM as a Service

Follow Us on Google News

An additional piece of malware used in the SolarWinds attacks has been uncovered by researchers at Symantec, a division of Broadcom. Raindrop (Backdoor.Raindrop) is a loader that delivers a payload of Cobalt Strike.

Raindrop, though similar to Teardrop has some very significant differences. Teardrop was delivered by the Sunburst backdoor, whereas Raindrop is used for spreading across the victim’s network.

No evidence has been uncovered of Raindrop being directly involved with Sunburst. However, it appears elsewhere on networks where at least one computer has been affected and compromised by Sunburst.

Sunburst was installed through the SolarWinds Orion update in early July 2020, and two computers were compromised. Subsequently Teardrop was installed the next day.

An active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases was found on that computer. On another previously uninfected computer, Raindrop was installed under the name bproxy.dll, eleven hours later.

The Raindrop malware installed an additional file called “7z.dll” an hour later. Within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.

An additional tool called mc_store.exe was later installed by the attackers on this computer. The tool is an unknown PyInstaller packaged application. No further activity was observed on this computer.

Figure 1. Example of Raindrop victim timeline

Raindrop Model

Raindrop is very much similar to Teardrop where they act as a loader for Cobalt Strike Beacon. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code.

Name file of the Export Directory Table is “”7-zip.dll” and the Export Names are:

  • DllCanUnloadNow
  • DllGetClassObject
  • DllRegisterServer
  • DllUnregisterServer

And one of the following is selected at random:

  • Tk_DistanceToTextLayout
  • Tk_GetScrollInfoObj
  • Tk_MainLoop
  • XGetGeometry

Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This malicious thread performs the following actions:

  • Executes some computation to delay execution.
  • Locates start of the encoded payload which is embedded within legitimate 7-Zip machine code.

The malware will then perform the following actions:

  • Extract the encoded payload.
  • Decrypt the extracted payload. This uses the AES algorithm in CBC mode.
  • Decompress the decrypted payload. This uses the LZMA algorithm.
  • Decrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression ratio.
  • Execute the decrypted payload as shellcode.

Conclusion

The discovery of Raindrop is a very significant step in the investigation of the SolarWinds hack attacks. It provides insights into the intentions of the attackers. Raindrop is used to move laterally and deploy payloads on other computers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

SolarWinds Hack – Multiple Similarities Found Between Sunburst Backdoor and Turla’s Backdoor

DOJ Says SolarWinds Hackers Accessed 3% of it’s Office 365 Mailboxes

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...