SolarWinds Hackers Used ‘Raindrop’ Malware for Lateral Movement

The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.

The SolarWinds attack involved the delivery of trojanized updates for Orion, an IT monitoring product, to as many as 18,000 of the company’s customers. These malicious updates delivered a piece of malware named Sunburst, which the attackers inserted into the Orion product using another piece of malware, named Sunspot.

In the case of a few hundred victims that presented an interest to them, including government and high-profile private organizations, the hackers also delivered a piece of malware named by researchers Teardrop, which in turn attempted to deploy a custom version of Cobalt Strike’s Beacon payload.

According to Symantec, the attackers also used another tool — very similar to Teardrop — for lateral movement and to deliver the same Cobalt Strike payload. Raindrop, described by the company as a loader and tracked as Backdoor.Raindrop, was spotted on compromised networks but, unlike Teardrop, it doesn’t appear to have been delivered directly by Sunburst.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

“Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” Symantec said in a blog post.

On devices infected with Raindrop, the company also noticed tools that can be used to obtain passwords and keys, and saw the execution of PowerShell commands with the goal of executing instances of Raindrop on other devices on the network.

While Raindrop is similar to Teardrop, Symantec says they use different packers and there are differences in Cobalt Strike configurations. In one instance, Cobalt Strike was configured to use SMB Named Pipe as a communications protocol rather than HTTPS, which led experts to believe that the compromised device did not have direct access to the internet, forcing the attackers to route C&C communications through another computer on the network.

The U.S. government and others said Russia was likely behind the attack on SolarWinds. Kaspersky recently found a link between the Sunburst malware and Kazuar, a piece of malware previously connected to a Russian cyberspy group known as Turla.

Related: SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale

Related: Class Action Lawsuit Filed Against SolarWinds Over Hack

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos