Raindrop

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Raindrop, like TEARDROP, functions as a custom Cobalt Strike loader, responsible for decoding/decrypting an embedded Cobalt Strike Beacon stage shellcode and executing it in memory. It's also known as Trojan:Win64/Solorigate.SB!dha by Microsoft and was identified as part of a set of smaller DLLs that de-obfuscate and load the Reflective Loader from the DLL’s CODE section. The transition from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) has been a focus of cybersecurity investigations. During the compromises that featured custom tools, APT29 used custom malware families including SUNBURST, BEACON droppers RAINDROP and TEARDROP, MAMADOGS, a credential theft tool, and CRIMSONBOX, a .NET tool that extracts the token signing certificate from an ADFS configuration. Raindrop was detected by Symantec, and the security community has since identified a growing collection of payloads attributed to the actor. Raindrop uses a combination of the AES-256 encryption algorithm (unique key per sample), LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. This is distinct from Type A loaders, which use a simple rolling XOR methodology to decode the Reflective Loader. The discovery of Raindrop and its associated malware variants has provided significant insight into the tactics and techniques of advanced persistent threat actors and their evolving strategies.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TEARDROP
1
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
Solorigate
1
Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the
Reflective Loader
1
A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operat
Backnet
1
None
trojan:win64/solorigate.sb!dha
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Shellcode
Microsoft
Cobalt Strike
Backdoor
Trojan
Payload
Rat
Loader
Malware
Encryption
Beacon
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SUNBURSTUnspecified
1
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
SUNSPOTUnspecified
1
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once insid
SibotUnspecified
1
Sibot is a malware that operates as a dual-purpose VBScript, designed to achieve persistence on an infected machine and then download and execute payloads from a remote C2 server. It reaches out to a compromised website to download a DLL to a folder under System32. Malware is harmful software capabl
NativeZoneUnspecified
1
NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, and
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
MamadogsUnspecified
1
None
CrimsonboxUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SideCopyUnspecified
1
SideCopy is a Pakistani threat actor that has been operational since at least 2019, primarily targeting South Asian countries, specifically India and Afghanistan. The Advanced Persistent Threat (APT) group uses lures such as archive files embedded with Lnk, Microsoft Publisher or Trojanized Applicat
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Raindrop Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Assembling the Russian Stacking Doll: UNC2452 Merged into APT29
CERT-EU
9 months ago
SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog
MITRE
a year ago
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
MITRE
a year ago
Raindrop: New Malware Discovered in SolarWinds Investigation
MITRE
a year ago
Security Advisory | SolarWinds