Dive Brief:
- Symantec identified a fourth malware, Raindrop, involved in the SolarWinds hack, the company said Tuesday.
- Raindrop was used only "against a select number of victims that were of interest to the attackers," said Symantec. So far, Symantec found evidence of the malware in four organizations it's investigating. In three of those samples, Cobalt Strike was "configured to use HTTPS as a communication protocol" while the fourth sample's configuration used SMB Named Pipe for communication protocol.
- Raindrop is a loader, which delivers a Cobalt Strike payload and has similarities to the memory-only dropper Teardrop, according to the security firm. Raindrop took the place of Teardrop in organizations of greater interest to the hackers. "Three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in one Teardrop sample," said Symantec.
Dive Insight:
Symantec is the latest security firm to uncover additional malware associated with the compromise of the SolarWinds Orion platform. When two organizations installed Sunburst by way of the tampered Orion update, Raindrop targeted one of them. In this case, the infected computer had an active directory query tool and a "credential dumper designed specifically for SolarWinds Orion databases," said Symantec.
Raindrop has only appeared in organizations with the compromised Orion update. However, Raindrop's presence "appeared elsewhere on the network," for lateral movement to other computers. How Raindrop spread among the four organizations is different, though Symantec has not found how Raindrop was delivered.
"Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst," said the security firm.
On Jan. 12, CrowdStrike found evidence of a third malware, Sunspot. Sunspot was used to deploy a backdoor "into the SolarWinds Orion platform without arousing the suspicion of the development team charged with delivering the product."
Malware discoveries related to SolarWinds hack
| Malware | Date disclosed | Description |
|---|---|---|
| Solorigate/Sunburst | Dec. 13, 2020 | Grants attackers access to perform backdoor commands |
| Teardrop | Dec. 13, 2020 | Deploys Cobalt Strike beacon following Sunburst |
| Sunspot | Jan. 11, 2021 | Used to insert Sunburst backdoor into Orion's software build |
| Raindrop | Jan. 18, 2021 | Enables lateral movement but used in targeted attacks only |
SOURCE: Microsoft, FireEye, CrowdStrike, Symantec
Using Sunspot, threat actors could insert Sunburst if the software build was successful. SolarWinds previously mentioned the Teardrop "post-exploitation tool," which Raindrop is a specialized alternative for.
"While Teardrop was used on computers that had been infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, being used by the attackers to move laterally and deploy payloads on other computers," said Symantec.
Government officials said the cyberattack is "likely Russian;" research firms have yet to name a specific threat group. CrowdStrike named the "activity cluster" StellarParticle, which is an overlap of what other firms are calling Solorigate.
