Skip to content

S0565 Raindrop

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.32

Item Value
ID S0565
Associated Names
Version 1.2
Created 19 January 2021
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1140 Deobfuscate/Decode Files or Information Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.32
enterprise T1036 Masquerading Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.32
enterprise T1036.005 Match Legitimate Name or Location Raindrop was installed under names that resembled legitimate Windows file and directory names.32
enterprise T1027 Obfuscated Files or Information Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.32
enterprise T1027.002 Software Packing Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.32
enterprise T1027.003 Steganography Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.3
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion After initial installation, Raindrop runs a computation to delay execution.3

Groups That Use This Software

ID Name References
G0016 APT29 345786