Symantec Identifies New Malware Used in SolarWinds Exploit

Symantec reported that they have uncovered, Raindrop, another piece of malware used in the SolarWinds attacks.

Symantec reported that they have uncovered, Raindrop, another piece of malware used in the SolarWinds attacks.

Raindrop is a loader that delivers a payload of Cobalt Strike. and similar to the Teardrop tool but is not delivered by a Sunburst backdoor. 

“Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst,” said Symantec.

Raindrop is compiled as a DLL, using a modified version of the 7-Zip source code and used several export names that were similar to system files.

Every time the  DLL is loaded, it starts a new thread from the DllMain subroutine that executes the malicious code which then executes some computation to delay execution then locates the start of the encoded payload which is embedded within legitimate 7-Zip machine code.

Raindrop then extracts the encoded payload, decrypts it using the AES algorithm in CBC mode, decompresses it using the LZMA algorithm, decrypts it using the XOR  byte key before it executes the decrypted payload as shellcode.


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.