Researchers have uncovered a fourth pressure of malware – Raindrop – that was utilised in the SolarWinds offer chain attack, a loader very similar to the Teardrop instrument.
But while Teardrop was shipped by the original Sunburst backdoor in early July 2020, Raindrop was made use of just beneath two weeks afterwards for spreading laterally across the victim’s network, Symantec explained in a report.
“The discovery of Raindrop is a major step in our investigation of the SolarWinds attacks as it gives even more insights into publish-compromise action at businesses of interest to the attackers,” Symantec scientists wrote on the heels of the revelation of 3rd strain – Sunspot – disclosed Jan. 11 by Crowdstrike. “While Teardrop was applied on personal computers that experienced been infected by the unique Sunburst trojan, Raindrop appeared somewhere else on the network, remaining utilized by the attackers to transfer laterally and deploy payloads on other personal computers.”
Raindrop and Teardrop are very similar in that both equally act as a loader for the Cobalt Strike. Having said that, Raindrop uses a tailor made packer to pack Cobalt Strike that differs from the one particular applied by Teardrop. Raindrop has been compiled as a DLL created from a modified version of 7-zip source code.
Based on the report from Symantec, Brandon Hoffman, chief information and facts security officer at Netenrich, claimed the Raindrop version of malware was a little bit custom made depending on the victim surroundings. Like Teardrop, it hides as a variation of 7-zip and, as with most other malware, arrives in a DLL format.
“There’s a great set of released conclusions on what this malware does along with protection mechanisms,” Hoffman explained. “Organizations involved that they may perhaps have been Sunburst victims should really run these further detections and expend time being familiar with the scientists publications on custom-made factors of Raindrop.”
The discovery of this fourth malware pressure even more supports the evaluation that the threat actors dependable for the SolarWinds compromise are most likely a highly capable and resourceful nation-point out-connected danger group, in accordance to Ivan Righi, cyber threat intelligence analyst at Digital Shadows.
“Considering the sophistication demonstrated by the threat actors, who left minor forensic evidence and took substantial steps to address their tracks, it is realistically attainable that a lot more malware strains may well have been utilised in the attack which have not however been discovered,” Righi stated. “Few cyber incidents have gotten this a great deal focus and postmortem assessment. This will very likely outcome in a lot more malware strains currently being found and claimed as far more of the scope of the attack is unveiled. Organizations straight influenced by the SolarWinds incident should make the most of the indicators of compromise and Yara regulations provided by Symantec to establish any traces of the Raindrop malware within just their networks.”
The discovery of a fourth pressure also demonstrates the attackers will use an incredible variety in instruments and techniques to create a beachhead, claimed Jeff Barker, vice president of product advertising at Illusive Networks. In addition to investigation/remediation pursuits, he explained, businesses require to start out operating and planning as if beachheads are unavoidable and concentrate far more on detecting and avoiding the attacker activities immediately after the beachhead has been proven.
“It’s way too easy for attackers to harvest credentials, transfer laterally, and escalate privileges when they are within,” Barker mentioned. “Developing, and investing in, an Energetic Protection strategy to preemptively clean up credential and pathway data, lowers the attack floor and forces detections by transforming endpoints into a network of deceptions, important to build an natural environment that is hostile to attacker routines the moment they’ve established a beachhead.”
In spite of the realities of the threat landscape, Derek Manky, main of security insights and global danger alliances at Fortinet’s FortiGuardLabs, stated companies can nevertheless get forward of these varieties of attacks.
“A security architecture that incorporates segmentation, which reduces a company’s attack area by effectively sealing off workloads from the relaxation of the network, can avoid cyberattackers from attaining access to the wider system,” Manky stated. “A solid segmentation tactic signifies that malware and compromised methods will be contained to a specific segment of the network. By using this phase, organizations can also isolate intellectual property and individual knowledge to continue to keep that data safe in the scenario of a successful attack.”
Some pieces of this short article are sourced from: