Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

SolarWinds Hackers Used ‘Raindrop’ Malware for Lateral Movement

The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.

The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.

The SolarWinds attack involved the delivery of trojanized updates for Orion, an IT monitoring product, to as many as 18,000 of the company’s customers. These malicious updates delivered a piece of malware named Sunburst, which the attackers inserted into the Orion product using another piece of malware, named Sunspot.

In the case of a few hundred victims that presented an interest to them, including government and high-profile private organizations, the hackers also delivered a piece of malware named by researchers Teardrop, which in turn attempted to deploy a custom version of Cobalt Strike’s Beacon payload.

According to Symantec, the attackers also used another tool — very similar to Teardrop — for lateral movement and to deliver the same Cobalt Strike payload. Raindrop, described by the company as a loader and tracked as Backdoor.Raindrop, was spotted on compromised networks but, unlike Teardrop, it doesn’t appear to have been delivered directly by Sunburst.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

“Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” Symantec said in a blog post.

On devices infected with Raindrop, the company also noticed tools that can be used to obtain passwords and keys, and saw the execution of PowerShell commands with the goal of executing instances of Raindrop on other devices on the network.

While Raindrop is similar to Teardrop, Symantec says they use different packers and there are differences in Cobalt Strike configurations. In one instance, Cobalt Strike was configured to use SMB Named Pipe as a communications protocol rather than HTTPS, which led experts to believe that the compromised device did not have direct access to the internet, forcing the attackers to route C&C communications through another computer on the network.

Advertisement. Scroll to continue reading.

The U.S. government and others said Russia was likely behind the attack on SolarWinds. Kaspersky recently found a link between the Sunburst malware and Kazuar, a piece of malware previously connected to a Russian cyberspy group known as Turla.

Related: SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale

Related: Class Action Lawsuit Filed Against SolarWinds Over Hack

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.