{"id":39193,"date":"2021-01-19T12:00:05","date_gmt":"2021-01-19T12:00:05","guid":{"rendered":"http:\/\/0dbcd9d1-0c93-4935-960c-5ac375ba0e0c"},"modified":"2021-01-19T12:00:05","modified_gmt":"2021-01-19T12:00:05","slug":"fourth-malware-strain-discovered-in-solarwinds-incident","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/fourth-malware-strain-discovered-in-solarwinds-incident\/","title":{"rendered":"Fourth malware strain discovered in SolarWinds incident"},"content":{"rendered":"
\"raindrop<\/span>
<\/span> Image via Ben Maguire <\/span><\/figcaption><\/figure>\n

Cyber-security firm Symantec said it identified another malware strain that was used during the SolarWinds supply chain attack, bringing the total number to four, after the likes of Sunspot, Sunburst (Solorigate), and Teardrop.<\/p>\n

Named Raindrop<\/strong>, Symantec said the malware was used only during the very last stages of an intrusion, deployed only on the networks of very few selected targets.<\/p>\n

Symantec said it encountered only four Raindrop samples in the cases it investigated until today.<\/p>\n

Timeline of the SolarWinds supply chain attack<\/h3>\n

But to understand Raindrop’s role and position in these attacks, we must first go over the timeline of the entire SolarWinds incident.<\/p>\n

Based on reports and information published by Microsoft, FireEye, CrowdStrike, and others, the SolarWinds intrusion is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government<\/a>, breached the internal network of SolarWinds, a Texas-based software maker.<\/p>\n

The intruders first deployed the Sunspot malware<\/a>, which they used exclusively inside SolarWinds’ own network. CrowdStrike said the attackers used the malware to modify the build process of the SolarWinds Orion app and insert the Sunburst<\/a> (Solorigate<\/a>) malware inside new versions of Orion, an IT inventory management system.<\/p>\n

These trojanized Orion versions went undetected and were active on the official SolarWinds update servers between March and June 2020. Companies who applied Orion updates also unwittingly installed the Sunburst malware on their systems.<\/p>\n

<\/section>\n

But the Sunburst malware wasn’t particularly complex and didn’t do much except gather info about the infected network and send the data to a remote server.<\/p>\n

Even if around 18,000 SolarWinds customers got themselves infected with the Sunburst malware, the Russian hacking group carefully selected its targets and opted to escalate attacks only in a handful of cases, for the likes of high-profile targets such as US government agencies, Microsoft, or security firm FireEye.<\/p>\n

When hackers decided to “escalate their access,” they used Sunburst to download and install the Teardrop malware [see past reports from <\/em>Symantec<\/em><\/a> and <\/em>Check Point<\/em><\/a>].<\/p>\n

Raindrop \u2014 Teardrop’s sibling<\/h3>\n

But Symantec says that in some cases, the hackers chose to deploy the Raindrop malware strain instead of the more widely used Teardrop.<\/p>\n

Despite being different strains, Symantec said the two backdoors had similar functionality, which the company described as being “a loader for [the] Cobalt Strike Beacon,” which the intruders later used to escalate and broaden their access inside a hacked IT network.<\/p>\n

But while both Raindrop and Teardrop were used for the same purpose, Symantec said that some differences also exist between the two, most being under the hood, at the code level, best described in the table below:<\/p>\n

\"raindrop-teardrop-comparison.png\"<\/span>