Another malware named the “Raindrop” has been discovered by Symantec Threat Intelligence in the Solarwinds hack of the supply chain. The Raindrop loader was allegedly used to deliver a legitimate penetration testing tool called Cobalt Strike.
Following Teardrop, Sunspot, and Sunburst, Raindrop is the fourth malware variant recognized to be used in the cyberattacks that targeted SolarWinds’ Orion network monitoring software.
The SolarWinds hack on the supply chain was initiated back in March 2020. The attack initially involved the posting of Sunburst backdoor in the Orion platform so the users would automatically download it along with the update.
While about 18,000 organizations downloaded the infected software, a few hundred, including government agencies and tech firms, apparently were targeted for follow-on attacks.
Though a substantial number of organizations, about 18000 of them, had already downloaded the corrupted software, government agencies and tech firms were seemingly targeted for progressive cyberattacks. These came up to be in a few hundred.
Raindrop is a loader for the Cobalt Strike penetration testing tool, but it is not installed via the Sunburst backdoor that was added to the SolarWinds Orion network monitoring software update, Symantec said.
The Cobalt Strike kit is used to find vulnerabilities in clients’ networks. It is a penetration testing tool used by Red Team security experts primarily use this penetration testing tool but cybercriminals also seem to profit off of the powerful Cobalt Strike tools.
Raindrop, however, is not installed through the Sunburst backdoor as was initially suspected. It installs the asynchronous Cobalt Strike Beacon post-exploitation agent to “phone home” to command and control servers from targets, and for data exfiltration.
Symantec detected Raindrop at a target organization that had had several computers jeopardized last year. The malware is compiled as a dynamic link library (DLL) and the file Symantec found was named bproxy.dll. Investigators believe Raindrop was used to permit hackers to move laterally within the breached networks, as the infected computers were running access and management software.