An additional piece of malware, dubbed Raindrop, has been unmasked in the sprawling SolarWinds supply-chain attacks. It was used in targeted attacks after the effort’s initial mass Sunburst compromise, researchers said.
The SolarWinds espionage attack, which has affected several U.S. government agencies, tech companies like Microsoft and FireEye, and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in December.
Researchers have identified Raindrop as one of the tools used for those follow-on attacks. It’s a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks, according to Symantec analysts.
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more.
Three Raindrop Victims
Symantec observed the malware being used on three different victim computers. The first was a high-value target, with a computer access-and-management software installed. That management software could be used to access any of the other computers in the compromised organization.
In addition to installing Cobalt Strike, Symantec researchers also observed a legitimate version of 7-Zip being used to install Directory Services Internals (DSInternals) on the computer. 7-Zip is a free and open-source file archiver, while DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys or password hashes.
In the second victim, Raindrop installed Cobalt Strike and then executed PowerShell commands that were bent on installing further instances of Raindrop on additional computers in the organization.
And in a third victim, Raindrop installed Cobalt Strike without a HTTP-based command-and-control server.
“It…was rather configured to use a network pipe over SMB,” according to Symantec’s analysis, released Monday. “It’s possible that in this instance, the victim computer did not have direct access to the internet, and so command-and-control was routed through another computer on the local network.”
Raindrop joins other custom malware that has been documented as being used in the attacks, including the Teardrop tool, which researchers said was delivered by the initial Sunburst backdoor.
Both Raindrop and Teardrop act as loaders for Cobalt Strike; and, Raindrop samples using HTTPS C2 communication follow very similar configuration patterns to Teardrop, researchers said. However, Raindrop uses a different custom packer from Teardrop; and, Raindrop isn’t fetched by Sunburst directly, researchers said.
Raindrop Malware Hides in 7-Zip
Symantec has uncovered that Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip. The malware authors have in this case embedded an encoded payload within the 7-Zip code.
“The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers,” the researchers explained. “Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code.”
The malicious thread first delays execution in an effort to evade detection. Then, to find and extract the payload, the packer uses steganography, scanning the bytes starting from the beginning of the subroutine until it finds a code that signals the start of the payload code.
According to Symantec, extracting the code “involves simply copying data from pre-determined locations that happen to correspond to immediate values of the relevant machine instructions.”
Then it decrypts and decompresses the extracted payload using with AES and LZMA algorithms, respectively, then executes the decrypted payload as shellcode.
“The discovery of Raindrop is a significant step in our investigation of the SolarWinds attacks as it provides further insights into post-compromise activity at organizations of interest to the attackers,” according to the Symantec analysis. “While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.