New Raindrop malware used in SolarWinds hack found

Another piece of malware, named Raindrop by researchers, that was used in the SolarWinds supply chain hack has been discovered by Symantec.

Raindrop is a loader for the Cobalt Strike penetration testing tool, but it is not installed via the Sunburst backdoor that was added to the SolarWinds Orion network monitoring software update, Symantec said.

The Cobalt Strike kit is penetration testing tool used by "Red Team" security experts, engaged to find vulnerabilities in their clients networks; however, threat actors are also taking advantage of the powerful Cobalt Strike tools.

Raindrop installs the asynchronous Cobalt Strike Beacon post-exploitation agent to "phone home" to command and control servers from targets, and for data exfiltration.

Symantec discovered Raindrop at a victim organisation that had had multiple computers compromised in July last year.

The researchers believe Raindrop was used to allow attackers to move laterally within the victim organisation's network, as the compromised computer was running access and management software.

Two other tools, the legitimate Directory Services Internals for querying Active Directory servers for data such as passwords and digitial keys and the unknown mc_store.exe PyInstaller were also installed by Raindrop.

Raindrop is similar to the Teardrop payload discovered earlier, and which also installs Cobalt Strike Beacon. Teardrop is delivered as a secondary payload by the Sunburst malware.

The malware is compiled as a dynamic link library (DLL) and the file Symantec found was named bproxy.dll.