Symantec's Threat Hunter Team, a group of security experts, have uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers.
According to Symantec, the malware, Raindrop is a loader which delivers a payload of Cobalt Strike. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two.
"While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst," says Symantec.
Raindrop is the fourth malware variant identified in the SolarWinds attack, following Teardrop, Sunspot, and Sunburst, says Ivan Righi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
"The significance of a now fourth malware strain being discovered is that it further supports the assessment that the threat actors responsible for the SolarWinds compromise are likely a highly capable and resourceful nation-state-associated threat group. Considering the sophistication demonstrated by the threat actors, who left little forensic evidence and took extensive steps to cover their tracks, it is realistically possible that more malware strains may have been used in the attack which have not yet been identified," Righi says. "Few historical cyber incidents have gotten this much attention and postmortem analysis. This will likely result in more malware strains being discovered and reported as more of the scope of the attack is revealed. Organizations directly affected by the SolarWinds incident should utilize the indicators of compromise (IoCs) and Yara rules provided by Symantec to identify any traces of the Raindrop malware within their networks.”
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says it appears that the Raindrop version of malware has been slightly customized depending on the victim environment.
Hoffman adds, "The commonalities exist in the sense that it is hiding as a version of 7zip and, not so different from much malware, comes in the format of a DLL. There is a great set of published findings on what this malware does along with protection mechanisms, including YARA rules. Organizations concerned that they may have been Sunburst victims should run these additional detections and spend time understanding the researchers publications on customized components of Raindrop.”
Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says, "So we are now getting into the semantics of minutia of how different malware worked so they can be named and detected with a signature. This is all great after the fact once we already know the attack occurred, however, it did not help when it mattered most."
Morales adds, "While the malware strains might slightly vary, and I’m sure more will be exposed, the fact is the behaviors related to the malware have been consistent – network reconnaissance for user accounts and passwords (primarily AD) followed by laterally movement to targeted systems with privilege escalation. Attackers can modify code and find different ways to execute the attack lifecycle, but no matter what they do the behaviors stay the same and are surprisingly consistent. During an attack, it does not matter who is responsible or how they are executing commands. It only matters that it is happening right now and what they are doing so that the organization can mitigate. This is where behaviors are strong with no prior knowledge of malware.”