Quote:An additional piece of malware, dubbed Raindrop, has been unmasked in the sprawling SolarWinds supply-chain attacks. It was used in targeted attacks after the effort’s initial mass Sunburst compromise, researchers said.
 
The SolarWinds espionage attack, which has affected several U.S. government agencies, tech companies like Microsoft and FireEye, and many others, began with a poisoned software update that delivered the Sunburst backdoor to around 18,000 organizations last spring. After that broad-brush attack, the threat actors (believed to have links to Russia) selected specific targets to further infiltrate, which they did over the course of several months. The compromises were discovered in December.
 
Researchers have identified Raindrop as one of the tools used for those follow-on attacks. It’s a backdoor loader that drops Cobalt Strike in order to perform lateral movement across victims’ networks, according to Symantec analysts.
 
Cobalt Strike is a penetration-testing tool, which is commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more.
 
Symantec observed the malware being used on three different victim computers. The first was a high-value target, with a computer access-and-management software installed. That management software could be used to access any of the other computers in the compromised organization.
 
In addition to installing Cobalt Strike, Symantec researchers also observed a legitimate version of 7-Zip being used to install Directory Services Internals (DSInternals) on the computer. 7-Zip is a free and open-source file archiver, while DSInternals is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys or password hashes.
 
In the second victim, Raindrop installed Cobalt Strike and then executed PowerShell commands that were bent on installing further instances of Raindrop on additional computers in the organization.
And in a third victim, Raindrop installed Cobalt Strike without a HTTP-based command-and-control server.
 
“It…was rather configured to use a network pipe over SMB,” according to Symantec’s analysis, released Monday. “It’s possible that in this instance, the victim computer did not have direct access to the internet, and so command-and-control was routed through another computer on the local network.”