An additional piece of malware used in the SolarWinds attacks has been uncovered by researchers at Symantec, a division of Broadcom. Raindrop (Backdoor.Raindrop) is a loader that delivers a payload of Cobalt Strike.
Raindrop, though similar to Teardrop has some very significant differences. Teardrop was delivered by the Sunburst backdoor, whereas Raindrop is used for spreading across the victim’s network.
No evidence has been uncovered of Raindrop being directly involved with Sunburst. However, it appears elsewhere on networks where at least one computer has been affected and compromised by Sunburst.
Sunburst was installed through the SolarWinds Orion update in early July 2020, and two computers were compromised. Subsequently Teardrop was installed the next day.
An active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases was found on that computer. On another previously uninfected computer, Raindrop was installed under the name bproxy.dll, eleven hours later.
The Raindrop malware installed an additional file called “7z.dll” an hour later. Within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool that can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.
An additional tool called mc_store.exe was later installed by the attackers on this computer. The tool is an unknown PyInstaller packaged application. No further activity was observed on this computer.
Raindrop is very much similar to Teardrop where they act as a loader for Cobalt Strike Beacon. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code.
Name file of the Export Directory Table is “”7-zip.dll” and the Export Names are:
And one of the following is selected at random:
Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This malicious thread performs the following actions:
The malware will then perform the following actions:
The discovery of Raindrop is a very significant step in the investigation of the SolarWinds hack attacks. It provides insights into the intentions of the attackers. Raindrop is used to move laterally and deploy payloads on other computers.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
Also Read
SolarWinds Hack – Multiple Similarities Found Between Sunburst Backdoor and Turla’s Backdoor
DOJ Says SolarWinds Hackers Accessed 3% of it’s Office 365 Mailboxes
Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS and…
Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol (RDP).…
Cybersecurity experts are sounding the alarm about a new SMS-based phishing tool, Devil-Traff, that is…
Experts at Wiz Research have identified a publicly exposed ClickHouse database belonging to DeepSeek, a…
The highly anticipated release of OPNsense 25.1 has officially arrived! Nicknamed "Ultimate Unicorn," this update…
Microsoft has officially added DeepSeek R1, an advanced AI model, to its Azure AI Foundry…