SolarWinds Hackers Used 7-Zip Code To Hide Raindrop Cobalt Strike Loader

The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

• Sunspot, the initial malware used to inject backdoors into the Orion platform builds
• Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
• Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
• Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers used PowerShell for lateral movement activity by creating new tasks on remote machines.

Symantec has seen four samples of the new malware, all delivering a Cobalt Strike beacon. In three cases, the payload was configured to communicate HTTPS. In the last instance, the communication occurred over an SMB Named Pipe, likely because the computer did not have internet access and another computer on the network was used for command and control.

Also Read: Letter of Consent MOM: Getting the Details Right

Symantec finding Raindrop adds another piece to the SolarWinds supply-chain attack puzzle. It reveals another aspect of the operation, giving defenders and investigators new avenues to explore in their effort to clean impacted networks.