A series of malware strains have come out of the woodwork since the SolarWinds security incident. The newest malware, called Raindrop, is the fourth strain to emerge following its predecessors and researchers are releasing data on its mechanisms. Raindrop seems to build on its predecessors (Teardrop, Sunspot, and Sunburst) in numerous ways, though researchers are finding the greatest similarities with Teardrop. Researchers at Symantec describe Raindrop as “an additional piece of malware used in the SolarWinds attacks.”
Symantec released a thorough investigative piece on Raindrop. The primary function of the malware is much like Teardrop in that it acts as a backdoor deliverer of Cobalt Strike. While Cobalt Strike was created as a white hat penetration testing tool, it also has a history of being used by cybercriminals to create command and control (C2) servers. Unlike Teardrop, which is injected via the Sunburst backdoor, Raindrop has not been shown to have any direct connection to Sunburst.
Symantec says the following about Raindrop’s activity:
Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers...
Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This malicious thread performs the following actions:
- Executes some computation to delay execution. This does not affect functionality.
- Locates start of the encoded payload which is embedded within legitimate 7-Zip machine code.
In order to locate the start of the encoded payload, the packer uses stenography by scanning the bytes starting from the beginning of the subroutine and skipping any bytes until the first occurrence of the following bytes that represent operation codes (opcodes) of interest:
.data:0000000180053008 opcodes db 5, 0Dh, 15h, 1Dh, 25h, 2Dh, 35h, 3Dh, 0B8h
Following all of this, the payload is decrypted and decompressed. The encryption used by the payload is AES and for compression, it uses the LMZA algorithm. The main goal of Raindrop is to spread throughout a target’s network, and based on its construction, it is incredibly capable of doing this.
Featured image: Flickr/ Eirik Solheim