S0560 TEARDROP
TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.12
| Item | Value |
|---|---|
| ID | S0560 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 06 January 2021 |
| Last Modified | 27 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.31 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.132 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | TEARDROP files had names that resembled legitimate Window file and directory names.12 |
| enterprise | T1112 | Modify Registry | TEARDROP modified the Registry to create a Windows service for itself on a compromised host.3 |
| enterprise | T1027 | Obfuscated Files or Information | TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.132 |
| enterprise | T1012 | Query Registry | TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 15679108 |
References
-
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. ↩↩↩↩↩↩↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩↩↩↩↩
-
Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. ↩↩↩↩
-
Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. ↩
-
Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. ↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩
-
Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023. ↩
-
NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021. ↩
-
UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021. ↩