SolarWinds investigation uncovers new Raindrop malware

A series of malware strains have come out of the woodwork since the SolarWinds security incident. The newest malware, called Raindrop, is the fourth strain to emerge following its predecessors and researchers are releasing data on its mechanisms. Raindrop seems to build on its predecessors (Teardrop, Sunspot, and Sunburst) in numerous ways, though researchers are finding the greatest similarities with Teardrop. Researchers at Symantec describe Raindrop as “an additional piece of malware used in the SolarWinds attacks.”

Symantec released a thorough investigative piece on Raindrop. The primary function of the malware is much like Teardrop in that it acts as a backdoor deliverer of Cobalt Strike. While Cobalt Strike was created as a white hat penetration testing tool, it also has a history of being used by cybercriminals to create command and control (C2) servers. Unlike Teardrop, which is injected via the Sunburst backdoor, Raindrop has not been shown to have any direct connection to Sunburst.

Symantec says the following about Raindrop’s activity:

Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers...
Whenever the DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code. This malicious thread performs the following actions:

  • Executes some computation to delay execution. This does not affect functionality.
  • Locates start of the encoded payload which is embedded within legitimate 7-Zip machine code.

In order to locate the start of the encoded payload, the packer uses stenography by scanning the bytes starting from the beginning of the subroutine and skipping any bytes until the first occurrence of the following bytes that represent operation codes (opcodes) of interest:

.data:0000000180053008 opcodes db 5, 0Dh, 15h, 1Dh, 25h, 2Dh, 35h, 3Dh, 0B8h

Following all of this, the payload is decrypted and decompressed. The encryption used by the payload is AES and for compression, it uses the LMZA algorithm. The main goal of Raindrop is to spread throughout a target’s network, and based on its construction, it is incredibly capable of doing this.

Featured image: Flickr/ Eirik Solheim

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Cybersecurity dangers when an employee goes on leave

While going on leave is good for both organization and employee, there are cybersecurity dangers…

9 hours ago

Top five complaints from remote workers — and how to respond

While many work-from-home employees enjoy the new normal, it is not without its hurdles. These…

16 hours ago

Azure AD administrative units: A go-to tool for Microsoft 365 administration

Limiting administrative scope is surprisingly difficult in Microsoft 365. Luckily, Azure AD administrative units can…

1 day ago

Data privacy regulations: Walking safely through the compliance jungle

Can businesses have a sustainable data privacy policy in a world where ever-changing compliance requirements…

2 days ago

Placing Hyper-V virtual machines on remote storage

We’ve previously showed you how to add a Windows file server to VMM. In this…

4 days ago