The SolarWinds supply chain attack may have affected as many as 18,000 organizations last spring. The nature of the attack became clear in December of 2020. Since then, a series of new details surrounding the extent and long-term consequences of the attack have gradually emerged. Catch up on Cyber Talk’s past SolarWinds coverage here.

In recent days, cyber security experts have discovered a new piece of malware threaded into the SolarWinds supply chain attack. It’s known as Raindrop, or Raindrop malware.

The Raindrop attack tool

Raindrop is a backdoor loader that leverages Cobalt Strike to crawl across a victim’s network in a lateral fashion. Cobalt Strike is capable of command execution, keylogging, file transfer, port scanning and lateral movement.

Cobalt Strike is a commercially available cyber security testing tool that can detect vulnerabilities. Although intended for white hat purposes, cyber adversaries have determined how to weaponize in network attacks.

Raindrop in the wild

Raindrop is a custom malware tool, akin to Teardrop. Three different computers were recently identified as tampered with via Raindrop malware.

The first computer identified is the property of a high-value target. Access to this target’s computer also allowed the hackers to move into any or all other computers in the affected organization.

In the second Raindrop victim’s computer, Raindrop installed Cobalt Strike and then forced the operation of PowerShell commands. The PowerShell command execution led to the infection of additional computers belonging to the affected organization.

In the third victim’s computer, Raindrop installed Cobalt Strike while circumventing the use of an HTTP-based command-and-control server.

Raindrop vs. Teardrop

“While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers,” report Check Point researchers.

Raindrop malware and the 7-Zip hideout

Cyber security researchers indicate that Raindrop is often an encoded payload within the 7-Zip code. A 7-Zip code is often used to build a DLL, in which Raindrop is compiled.

How does Raindrop malware work?

  • Raindrop delays execution to avoid detection
  • It uses steganography to find and extract the payload
  • It makes use of AES and LMZA algorithms to decrypt and decompress the payload
  • And more, as illustrated in the image below.

RaindropImage courtesy of The Hacker News

For more on Raindrop malware, visit Threatpost.