Symantec said it identified Raindrop, the fourth type of malware used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop.
Cybersecurity company Symantec said it had identified another type of malware used during the attack on the SolarWinds, bringing the number to four, following the likes of Sunspot, Sunburst (Solorigate), and Teardrop.
The tool was used to spread onto other computers in victims’ networks.
Named Raindrop, Symantec said the malware was only used in the final stages of entry, only used on networks for a few selected purposes.
Symantec said it had met only four samples of Raindrop in cases it had investigated to date.
Raindrop attacks analysis
But to understand Raindrop’s role and role in this attack, we must first look at the timeline of the entire SolarWinds incident.
According to reports and information published by Microsoft, FireEye, CrowdStrike, and others, the entry of SolarWinds is believed to have taken place in mid-2019 when hackers, believed to be linked to the Russian government, broke the internal network of SolarWinds, Texas-based software developer.
Participants first sent the Sunspot malware, which they used only within the SolarWinds network. CrowdStrike said the attackers had used malware to alter the process of building the SolarWinds Orion app and incorporating Sunburst (Solorigate) malware into new versions of Orion, an IT asset management system.
These Orion versions used were not found and were running on official SolarWinds update servers between March and June 2020. Companies that installed Orion updates also installed malburst malware on their systems unknowingly.
But the Sunburst malburst was not particularly complicated and did not do much other than collect data through an infected network and send data to a remote server.
Although around 18,000 SolarWinds customers find themselves with Sunburst malware, the Russian hacking group has carefully chosen its targets and opted to increase attacks only in a few cases, with the likes of high-profile targets such as US government agencies, Microsoft, or security company FireEye.
While the hijackers decided to “increase their access,” they used Sunburst to download and install Teardrop malware [see previous reports from Symantec and Check Point].
But Symantec says that in some cases, hackers have chosen to use the mind Raindrop type instead of the more widely used Teardrop.
Although they are separate pillars, Symantec said the two backs had the same functionality, which the company described as “loading the Cobalt Strike Beacon,” which passengers used over time to increase and increase their access to the hacked IT network.
But while both Raindrop and Teardrop were used for the same purpose, Symantec said there were differences between the two, most of which are below the area, at the code level, which is well described in the table below:
Another big difference is how the two types of malware are used.
Symantec said the most widely used Teardrop was directly installed by Sunburst malware, while Raindrop appeared mysteriously in the programs where Sunburst was found, with no direct evidence that Sunburst had created its installation.
The US security company said it was currently investigating how Raindrop was installed.
The most obvious approach is found in previous reports on hacks at SolarWinds that hackers used Sunburst malware to run various non-PowerShell payments, many of which would leave little evidence of spying on infected managers. While unconfirmed, Raindrop may be the result of these activities.
But the lesson here is that security teams investigating SolarWinds incidents within their networks now also need to scan for the detection of another type of malware – Raindrop.
A report by Symantec released today includes indicators of compromises (IOCs) that a security company has identified in the cases it investigated.
So This New Malware Discovered in SolarWinds Investigation and it is discovered and identified By Cybersecurity company Symantec