S0565 Raindrop
Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.23
| Item | Value |
|---|---|
| ID | S0565 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 19 January 2021 |
| Last Modified | 26 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.23 |
| enterprise | T1036 | Masquerading | Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.23 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Raindrop was installed under names that resembled legitimate Windows file and directory names.23 |
| enterprise | T1027 | Obfuscated Files or Information | Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.23 |
| enterprise | T1027.002 | Software Packing | Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.23 |
| enterprise | T1027.003 | Steganography | Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | After initial installation, Raindrop runs a computation to delay execution.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 245 |
References
-
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware ↩
-
Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. ↩↩↩↩↩↩↩↩↩
-
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. ↩↩↩↩↩↩
-
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩