Friday, October 15, 2021

The fourth type of malware discovered in the SolarWind Hack

Must Read

Hacker leaks data of MeetMindful dating site

The data belongs to the MeetMindful dating site and includes everything from real names to Facebook account tokens and...

Sectigo Acquires SSL247 and Xolphin to expand its enterprise and IoT solution

Web security company Sectigo has announced the purchase of two firms to expand its business and IoT alternative offerings.Sectigo...

WAPDropper malware abuses Android devices for WAP fraud

New WAPDropper malware signals users up to premium services supplied from telecoms from Thailand and Malaysia.Security researchers have discovered...

Symantec said it identified Raindrop, the fourth type of malware used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop.

Cybersecurity company Symantec said it had identified another type of malware used during the attack on the SolarWinds, bringing the number to four, following the likes of Sunspot, Sunburst (Solorigate), and Teardrop.

The tool was used to spread onto other computers in victims’ networks.

Named Raindrop, Symantec said the malware was only used in the final stages of entry, only used on networks for a few selected purposes.

Symantec said it had met only four samples of Raindrop in cases it had investigated to date.

Raindrop attacks analysis

But to understand Raindrop’s role and role in this attack, we must first look at the timeline of the entire SolarWinds incident.

According to reports and information published by Microsoft, FireEye, CrowdStrike, and others, the entry of SolarWinds is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government, broke the internal network of SolarWinds, Texas-based software developer.

The fourth type of malware discovered in the SolarWind Hack
Image: Symantec

Participants first sent the Sunspot malware, which they used only within the SolarWinds network. CrowdStrike said the attackers had used malware to alter the process of building the SolarWinds Orion app and incorporating Sunburst (Solorigate) malware into new versions of Orion, an IT asset management system.

These Orion versions used were not found and were running on official SolarWinds update servers between March and June 2020. Companies that installed Orion updates also installed malburst malware on their systems unknowingly.

But the Sunburst malburst was not particularly complicated and did not do much other than collect data through an infected network and send data to a remote server.

Although around 18,000 SolarWinds customers find themselves with Sunburst malware, the Russian hacking group has carefully chosen its targets and opted to increase attacks only in a few cases, with the likes of high-profile targets such as US government agencies, Microsoft, or security company FireEye.

While the hijackers decided to “increase their access,” they used Sunburst to download and install Teardrop malware [see previous reports from Symantec and Check Point].

But Symantec says that in some cases, hackers have chosen to use the mind Raindrop type instead of the more widely used Teardrop.

Although they are separate pillars, Symantec said the two backs had the same functionality, which the company described as “loading the Cobalt Strike Beacon,” which passengers used over time to increase and increase their access to the hacked IT network.

But while both Raindrop and Teardrop were used for the same purpose, Symantec said there were differences between the two, most of which are below the area, at the code level, which is well described in the table below:

Another big difference is how the two types of malware are used.

Symantec said the most widely used Teardrop was directly installed by Sunburst malware, while Raindrop appeared mysteriously in the programs where Sunburst was found, with no direct evidence that Sunburst had created its installation.

The US security company said it was currently investigating how Raindrop was installed.

The most obvious approach is found in previous reports on hacks at SolarWinds that hackers used Sunburst malware to run various non-PowerShell payments, many of which would leave little evidence of spying on infected managers. While unconfirmed, Raindrop may be the result of these activities.

But the lesson here is that security teams investigating SolarWinds incidents within their networks now also need to scan for the detection of another type of malware – Raindrop.

A report by Symantec released today includes indicators of compromises (IOCs) that a security company has identified in the cases it investigated.

So This New Malware Discovered in SolarWinds Investigation and it is discovered and identified By Cybersecurity company Symantec

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This