A fourth piece of malware used by the Solar Winds hackers has been detected. According to Symantec analysts, a loader nicknamed "Raindrop" is a backdoor loader that drops Cobalt Strike to perform lateral movement across victims' networks.
Cobalt Strike is a penetration testing tool that sends out beacons to simulate attacks and detect network vulnerabilities. It appears that the Solar Winds hackers have figured out how to turn Cobalt Strike abilities against networks to spread through an environment, exfiltrate data, deliver malware, and more.
Raindrop is similar to the already documented Teardrop tool; both malware pieces act as a loader for Cobalt Strike Beacon. However, some discrepancies between them, such as Teardrop, were delivered by the initial Sunburst backdoor. In contrast, Raindrop wasn't delivered directly by Sunburst and appeared to have been used for spreading across the victim's network. Raindrop uses a custom packer to pack Cobalt Strike, which is different from the one used by Teardrop.
The threat actors modified and designed the 7-Zip code to hide malicious functionality such as building and compiling Raindrop as a DLL. Once compiled, the Exporting Directory's file name becomes "7-zip.dll" Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This malicious thread performs the following actions:
- Executes some computation to delay execution and not affect functionality.
- Locates the start of the encoded payload, which is embedded within legitimate 7-Zip machine code.
Kaspersky researchers have identified some similarities between the Sunburst malware and Kazuar, which is a backdoor allegedly operated by Turla, a Russian cyber-espionage group.The U.S. government and others also point to Russia, which seems very likely being behind the attack on SolarWinds.