Friday, July 23, 2021

The fourth type of malware discovered in the SolarWind Hack

Must Read

Sophos Informs customers of Information exposure after database misconfiguration

The company states that just a tiny subset of clients was affected. UK-based cyber-security seller Sophos is presently advising clients...

Elasticsearch Server Leaks Massive Instagram Click Farm

Security researchers have discovered a gigantic Instagram click farm in central Asia, managing thousands of bogus profiles. A group in...

FICO Creates cryptocurrency Commerce Threat solution for banks

FICO has awakened with Bitfury Group to make a cryptocurrency hazard appraisal solution for financial institutions. The program will bring...

Symantec said it identified Raindrop, the fourth type of malware used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop.

Cybersecurity company Symantec said it had identified another type of malware used during the attack on the SolarWinds, bringing the number to four, following the likes of Sunspot, Sunburst (Solorigate), and Teardrop.

The tool was used to spread onto other computers in victims’ networks.

Named Raindrop, Symantec said the malware was only used in the final stages of entry, only used on networks for a few selected purposes.

Symantec said it had met only four samples of Raindrop in cases it had investigated to date.

Raindrop attacks analysis

But to understand Raindrop’s role and role in this attack, we must first look at the timeline of the entire SolarWinds incident.

According to reports and information published by Microsoft, FireEye, CrowdStrike, and others, the entry of SolarWinds is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government, broke the internal network of SolarWinds, Texas-based software developer.

The fourth type of malware discovered in the SolarWind Hack
Image: Symantec

Participants first sent the Sunspot malware, which they used only within the SolarWinds network. CrowdStrike said the attackers had used malware to alter the process of building the SolarWinds Orion app and incorporating Sunburst (Solorigate) malware into new versions of Orion, an IT asset management system.

These Orion versions used were not found and were running on official SolarWinds update servers between March and June 2020. Companies that installed Orion updates also installed malburst malware on their systems unknowingly.

But the Sunburst malburst was not particularly complicated and did not do much other than collect data through an infected network and send data to a remote server.

Although around 18,000 SolarWinds customers find themselves with Sunburst malware, the Russian hacking group has carefully chosen its targets and opted to increase attacks only in a few cases, with the likes of high-profile targets such as US government agencies, Microsoft, or security company FireEye.

While the hijackers decided to “increase their access,” they used Sunburst to download and install Teardrop malware [see previous reports from Symantec and Check Point].

But Symantec says that in some cases, hackers have chosen to use the mind Raindrop type instead of the more widely used Teardrop.

Although they are separate pillars, Symantec said the two backs had the same functionality, which the company described as “loading the Cobalt Strike Beacon,” which passengers used over time to increase and increase their access to the hacked IT network.

But while both Raindrop and Teardrop were used for the same purpose, Symantec said there were differences between the two, most of which are below the area, at the code level, which is well described in the table below:

Another big difference is how the two types of malware are used.

Symantec said the most widely used Teardrop was directly installed by Sunburst malware, while Raindrop appeared mysteriously in the programs where Sunburst was found, with no direct evidence that Sunburst had created its installation.

The US security company said it was currently investigating how Raindrop was installed.

The most obvious approach is found in previous reports on hacks at SolarWinds that hackers used Sunburst malware to run various non-PowerShell payments, many of which would leave little evidence of spying on infected managers. While unconfirmed, Raindrop may be the result of these activities.

But the lesson here is that security teams investigating SolarWinds incidents within their networks now also need to scan for the detection of another type of malware – Raindrop.

A report by Symantec released today includes indicators of compromises (IOCs) that a security company has identified in the cases it investigated.

So This New Malware Discovered in SolarWinds Investigation and it is discovered and identified By Cybersecurity company Symantec

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This