Cybersecurity firm Symantec has uncovered an additional piece of malware used in the SolarWinds attacks, becoming the fourth piece of malware associated with the wide-ranging compromise of the popular IT management software.
Symantec is calling this malware “Raindrop,” which is “a loader that delivers a payload of Cobalt Strike,” the company wrote in a blog post. It appears to have been used to spread across a victim’s network.
Raindrop is very similar to the already documented Teardrop malware, but Teardrop was delivered by the initial Sunburst backdoor, Symantec says.
To date, Symantec says there is no evidence that Raindrop was delivered directly by Sunburst. Rather, Raindrop appears elsewhere on networks where at least one computer has already been compromised by Sunburst.
In the blog, Symantec describes discovering Raindrop attacks:
In one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well documented. Two computers were compromised.
The following day, Teardrop was subsequently installed on one of these computers. That computer was found to have an active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The credential dumper was similar to, but not the same as, the open source Solarflare tool.
Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.
One hour later, the Raindrop malware installed an additional file called “7z.dll”. We were unable to retrieve this file, however, within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.
An additional tool called mc_store.exe was later installed by the attackers on this computer. The tool is an unknown PyInstaller packaged application. No further activity was observed on this computer.
Read Next: SolarWinds CEO: Company Might Not Be the Only Compromise
In one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well documented. Two computers were compromised.
The following day, Teardrop was subsequently installed on one of these computers. That computer was found to have an active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The credential dumper was similar to, but not the same as, the open source Solarflare tool.
Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.
One hour later, the Raindrop malware installed an additional file called “7z.dll”. We were unable to retrieve this file, however, within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.
An additional tool called mc_store.exe was later installed by the attackers on this computer. The tool is an unknown PyInstaller packaged application. No further activity was observed on this computer.
According to the company, tools associated with the attacks will be detected and blocked on machines running Symantec Endpoint products.
For more information, read Symantec’s blog for further technical analysis and mitigation.
Leave a Reply