Researchers have uncovered another piece of malware used by the SolarWinds attackers to help them move across networks after an initial compromise. The tool is known as Raindrop and while it shares a number of similarities with the Teardrop malware used by the same group, it has some unique capabilities and has only been found on a small number of computers.
Like Teardrop, Raindrop functions mainly as a conduit for loading a Cobalt Strike Beacon, allowing the attackers to continue to move around a network and communicate with a remote C2 server. Symantec researchers discovered Raindrop installed on four machines in networks that had been compromised by the Sunburst backdoor, the main piece of malware used by the SolarWinds attackers. However, Raindrop has not been found on the same computers where Sunburst was installed. The adversaries behind the intrusion at SolarWinds, which U.S. officials have identified as likely coming from Russia, have used several custom tools as part of their operations, some for initial access and others for lateral movement and data exfiltration. Sunburst has been found in the networks of some companies that installed the malicious SolarWinds Orion update, and Teardrop and Raindrop have appeared in a subset of those victims’ networks.
“In one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well documented. Two computers were compromised. The following day, Teardrop was subsequently installed on one of these computers. That computer was found to have an Microsoft Entra ID query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The credential dumper was similar to, but not the same as, the open source Solarflare tool,” a new report from Symantec’s Threat Hunter Team says.
Symantec has discovered just four individual samples of Raindrop thus far.
“Eleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. This computer was running computer access and management software. The attackers could have used this software to access any of the computers in the compromised organization.”
The discovery of Raindrop adds another layer to the already complex investigation into the breach at SolarWinds and the subsequent compromise of some of its customers. Since the initial disclosure of the breach in December, there has been a steady stream of related disclosures, including the names of customers that have been compromised, malware used in the operations, and how the attackers were able to move around the compromised networks.
Interestingly, Symantec has discovered just four individual samples of Raindrop thus far. That may mean that the attackers have used the tool very sparingly, or it could simply be that only a small number of a larger volume has been found. As incident response teams at victim organizations continue to investigate the intrusions, it’s likely that they will uncover other pieces of malware used by the attackers.