- TREND MICRO SECURITY INTELLIGENCE BLOG SOFTWARE
- TREND MICRO SECURITY INTELLIGENCE BLOG CODE
- TREND MICRO SECURITY INTELLIGENCE BLOG PASSWORD
The malware will then perform the following actions: In order to locate the start of the encoded payload, the packer uses steganography by scanning the bytes starting from the beginning of the subroutine and skipping any bytes until the first occurrence of the following bytes that represent operation codes (opcodes) of interest:
TREND MICRO SECURITY INTELLIGENCE BLOG CODE
The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. This packer is different to the one used by Teardrop. Raindrop uses a custom packer to pack Cobalt Strike. Raindrop is similar to Teardrop in that both pieces of malware act as a loader for Cobalt Strike Beacon. It's possible that in this instance, the victim computer did not have direct access to the internet, and so command and control was routed through another computer on the local network. In a third victim, where Raindrop was seen, the instance of Cobalt Strike that was extracted did not have a HTTP-based command and control server, but was rather configured to use a network pipe over SMB (\\.\pipe\protected_storage). "Invoke-WMIMethod win32_process -name create -argumentlist 'rundll32 c:\windows\Speech_OneCore\Engines\TTS\en-US\ TkChangeEventWindow' -ComputerName REDACTED" "Invoke-Command -ComputerName REDACTED -ScriptBlock " Several days later, in early June, PowerShell commands were executed on that computer, attempting to execute further instances of Raindrop on additional computers in the organization. In a second victim where the Raindrop loader was seen, it was installed in a file called astdrv圆4.dll in late May. No further activity was observed on this computer. The tool is an unknown PyInstaller packaged application.
TREND MICRO SECURITY INTELLIGENCE BLOG PASSWORD
DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.Īn additional tool called mc_store.exe was later installed by the attackers on this computer. We were unable to retrieve this file, however, within hours a legitimate version of 7zip was used to extract a copy of what appeared to be Directory Services Internals (DSInternals) onto the computer. One hour later, the Raindrop malware installed an additional file called "7z.dll".
TREND MICRO SECURITY INTELLIGENCE BLOG SOFTWARE
The attackers could have used this software to access any of the computers in the compromised organization. This computer was running computer access and management software. The credential dumper was similar to, but not the same as, the open source Solarflare tool.Įleven days later, on a third victim computer in the organization, where no previous malicious activity had been observed, a copy of the previously unseen Raindrop was installed under the name bproxy.dll. That computer was found to have an active directory query tool, as well as a credential dumper designed specifically for SolarWinds Orion databases. The following day, Teardrop was subsequently installed on one of these computers. In one victim, in early July 2020, Sunburst was installed through the SolarWinds Orion update, as has been well documented. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network. Raindrop is very similar to the already documented Teardrop tool, but there are some key differences between the two. Raindrop (Backdoor.Raindrop) is a loader which delivers a payload of Cobalt Strike. Symantec, a division of Broadcom (NASDAQ: AVGO), has uncovered an additional piece of malware used in the SolarWinds attacks which was used against a select number of victims that were of interest to the attackers.