Another Malware Variant Found in the SolarWinds Hack and Another Victim
Table of Contents
- By Dawna M. Roberts
- Published: Jan 29, 2021
- Last Updated: Mar 18, 2022
The SolarWinds supply chain attack is a bomb that just keeps ticking. Another variant of malware was discovered, and threat researchers have nicknamed it “Raindrop.”
This week, Symantec Threat Intelligence discovered another malware variant in the SolarWinds attack. They nicknamed it “Raindrop.” This latest find was designed to deliver Cobalt Strike, a penetration testing tool, and it was used on a bunch of the targets affected.
Raindrop is the fourth malware variant discovered so far that was used in the supply chain attack. The other three were Sunburst, Teardrop, and Sunspot. Raindrop is most like Teardrop, although there are some differences. Symantec reported that “While Teardrop was delivered by the initial Sunburst backdoor, Raindrop appears to have been used for spreading across the victim’s network.”
The SolarWinds supply chain attack began in March 2020 and affected more than 18,000 customers who used Orion devices. Many of the victims were government agencies and technology firms. Threat researchers are quite sure it was a Russian-backed attack.
How Raindrop Works
Raindrop works as a loader for the legitimate penetration testing tool called Cobalt Strike. The threat actors compiled Raindrop as a Dynamic Link Library (DLL) as a method of evading detection. It was designed using a modified version of 7-Zip source code.
According to Data Breach Today, the Raindrop malware initiates by starting “a new thread from the DllMain subroutine that executes the malicious code. The startup procedure includes completing computation that delays the malware’s activation and finds and retrieves the payload that is included in the 7-Zip machine code, Symantec says.
The Raindrop malware conducts the following actions:
-
Extracts the encoded payload. This involves copying data from predetermined locations that correspond to immediate values of the relevant machine instructions.
-
Decrypts the extracted payload. This uses the AES algorithm in CBC mode.
-
Decompresses the decrypted payload. This uses the LZMA algorithm.
-
Decrypts the decompressed payload. This is a simple XOR with a byte key and does not affect the compression ratio.
-
Executes the decrypted payload as shellcode.”
Symantec reported that this particular variant was only used on four victims. However, interestingly enough, the original Raindrop file was installed back in March 2020 and remained dormant until June 2020 when “PowerShell commands were executed that tried to spread Teardrop onto additional computers in that organization. Teardrop is the data-exfiltrating malware that was downloaded onto some of the victims,” Data Breach Today reported.
Another Malware, Another Victim
Along with the long list of victims already disclosed, Malwarebytes confirmed that they too were involved in the hacking incident last week. Malwarebytes is now the fourth high-tech firm to be affected by this worldwide attack. They fall in line with CrowdStrike, Microsoft, and FireEye. However, their intrusion was not linked directly to the SolarWinds equipment but instead “abusing applications with privileged access to Microsoft Office 365 and Azure environments.”
The cyber attack on Malwarebytes affected its internal email system hosted on Office 365. Microsoft first alerted the company on December 15, 202, about suspicious activity with the “email protection app” within its Office 365 client.
The Hacker News shared that “While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor,” the company’s CEO Marcin Kleczynski said in a post. “We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”
Threat researchers theorize that this second wave came at the hands of a Russian hacker group known as UNC2452 or Dark Halo.
According to The Hacker News, “Malwarebytes said the threat actor added a self-signed certificate with credentials to the principal service account, subsequently using it to make API calls to request emails via Microsoft Graph.”
Another malware variant and another victim disclosed. It is clear we have not heard the last of this story.