Cybersecurity researchers have unveiled a fourth new malware strain – designed to spread the malicious software to other computers in victims’ networks – used as part of a SolarWinds supply chain attack uncovered late last year.
Called “Raindrop” by Symantec, owned by Broadcom, the malicious software joins other malicious implants like Sunspot, Sunburst (or Solorigate), and Teardrop that were stealthily delivered to enterprise networks .
The latest finding comes in the midst of an ongoing probe into the breach, suspected to be of Russian origin, which has claimed numerous US government agencies and private sector companies.
“The discovery of Raindrop is a significant step in our investigation of SolarWinds attacks as it provides further insights into post-compromise activity in organizations of interest to the attackers,” said Symantec researchers.
The cybersecurity company said it has found only four samples of Raindrop so far that were used to supply Cobalt Strike Beacon – a memory backup that can execute command, keylogging, file transfer, privilege attenuation, port scanning , and lateral movement.
Symantec, last month, unveiled more than 2,000 systems belonging to 100 customers who received the trojanized SolarWinds Orion updates, with select targets infected with a second-stage payload called Teardrop which is also used to install Cobalt Strike Bright.
“The way Teardrop is built, it could have dropped anything; in this case, it dropped Beacon, a payload included with the Cobalt Strike,” Check Point investigators said, noting that it may have ‘to make it “make attribution more difficult.”
“While Teardrop was used on computers infected by the original Sunburst Trojan, Raindrop appeared elsewhere on the network, used by the attackers to move laterally and use payloads on other computers. “
It is worth noting that the attackers only used Sunspot malicious software against SolarWinds in September 2019 to compromise its build environment and inject the Sunburst Trojan into its Orion network monitoring platform. The corrupted software was then distributed to the company’s 18,000 customers.
Microsoft’s analysis of the Solorigate modus operandi last month found that operators had carefully selected their targets, choosing to escalate the attacks in only a handful of cases by using Teardrop based on intelligence gathered during an initial exploration of ‘ r the target environment for high value accounts and assets.
Now Raindrop (“bproxy.dll”) joins the mix. While Teardrop and Raindrop act as a dropper for the Cobalt Strike Beaver, they also differ in many ways.
Initially, Teardrop is provided directly by Sunburst’s outdoor backdrop, but Raindrop appears to have used it with the goal of spreading across the victims’ network. What’s more, the malicious software appears on networks where at least one computer is already compromised by Sunburst, with no indication that Sunburst has triggered its installation.
Both malicious software strains also use different Cobalt Strike packers and configurations.
Symantec did not identify the organizations affected by Raindrop but said the samples were found in a victim system that ran computer access and control software and on a machine found to be operating PowerShell commands to infect additional computers in the organization with the same malicious software.