Symantec Uncovers Fourth Malware Strain Used in SolarWinds Hack


Cybersecurity firm Symantec discovered a fourth malware strain Raindrop used in the SolarWinds breach. Security researchers found that Raindrop was trojanized with Cobalt Strike, a threat emulation tool to stage further attacks.

The ongoing investigations of the SolarWinds software supply chain hack have now revealed a fourth malware strain, dubbed Raindrop that was used as a backdoor to spread across the networks and stage further attacks.  Broadcom subsidiary Symantec recently discovered that the threat actors behind the SolarWinds hack trojanized Raindrop as a dll file (a code/data library for a certain activity) to directly deliver Cobalt Strike. Cobalt Strike is a threat emulation software used to assess the system and network security, while DSInternals is used for querying Active Directory servers and data retrieval, typically passwords, keys, or password hashes.

Security researchers found hackers deployed four malware strains to stage the seven-month long attack that came to light in mid-December. According to Symantec, the latest malware strain discovered —  RaindropOpens a new window is quite similar to the third strain Teardrop. However, its delivery mechanism varies significantly. Each of the four strains — Sunspot, Sunburst, Teardrop, and Raindrop serve a different purpose.

Let’s dig into the details and how the malware strains were deployed to carry out the supply chain attack:

Sunspot: Discovered by CrowdStrikeOpens a new window , this malicious tool was used to inject and embed backdoors in the SolarWinds Orion platform. Also, special attention was given to Sunspot’s operational security to avoid detection by monitors compiling the Orion code. Hackers pulled this off by replacing one of the source code files with the Sunburst backdoor code.

Sunburst: Once the Sunburst backdoor is installed, Sunspot continuously monitors the Orion build operation and hijacks it to insert additional malicious code in the Orion library through the Sunburst backdoorOpens a new window . This way, the attackers inserted malicious code into the Orion version update packages distributed to thousands of customers. They avoided detection by compromising Orion’s digital certificates and using them before the malicious code is executed. Both Sunspot and Sunburst continued to operate between March and June 2020 without being detected.

Teardrop:  Teardrop is a novel, specialized malware that is being used to deliver and execute a customized Cobalt StrikeOpens a new window Beacon payload. Delivered through the Sunburst backdoor, TeardropOpens a new window is a second-stage, post-compromise payload whose purpose is to deliver yet another payload (Cobalt Strike Beacon) to expand its scope across the compromised network.

Raindrop: Similar to Teardrop, Raindrop is also a loader for Cobalt Strike and 7zip delivery, except it isn’t delivered via the Sunburst backdoor. This hypothesis is based on the fact that Symantec has found no evidence of Sunburst’s involvement in the delivery of Raindrop. Curiously enough, this was found only on those networks where Sunburst compromised at least one computer.

See Also: FireEye Reveals How SolarWinds Hackers Bypassed the Defenses

Extensive investigations are ongoing to understand how Raindrop was delivered. Symantec’s technical analysis found at least three modes of delivery in three different victims:

  • Victim 1: A network with computer access and management software. Following Sunburst backdoor installation in July 2020, Teardrop appeared on the next day, and Raindrop appeared 11 days later. 
  • Victim 2: Through the execution of PowerShell commands that allow execution of additional instances of Raindrop on more computers in the organization. 
  • Victim 3: On a computer that did not have HTTP-based command and control server.

Shaked ReinerOpens a new window , Security Researcher at CyberArk, told WIREDOpens a new window , “Even though it’s a difficult technique to perform, it still gives attackers a lot of crucial advantages that they need. Because the SolarWinds attackers used it so successfully I’m sure that other attackers will note this and use it more and more from now on.”

Further, unlike Teardrop, Raindrop was deployed only on select victims, one of which among the three listed above was a high-value target.

Sunspot, Sunburst, Teardrop, and now Raindrop are all operational elements of the sophisticated cyber espionage campaign by Russia-backed threat actors. The malicious campaign started sometime in March 2020 and has infected 18,000 SolarWinds customers.

Opens a new window

Timeline of SolarWinds Hack | Source: Microsoft

Security researchers discovered that attackers meticulously chose their targets. Some of the organizations that were targeted in the mega hack include U.S. federal agencies like the Department of Treasury, Department of Defense, Department of Justice, and big tech firms like Microsoft, Cisco, Intel, NVIDIA, VMware, consulting major Deloitte, cybersecurity vendors FireEye, CrowdSrike among others.

Despite being a SolarWinds customer, tech giant Google said none of their systems were impacted by the mega hack since its use was ‘very limited.’

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!