Raindrop

Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Raindrop, like TEARDROP, functions as a custom Cobalt Strike loader, responsible for decoding/decrypting an embedded Cobalt Strike Beacon stage shellcode and executing it in memory. It's also known as Trojan:Win64/Solorigate.SB!dha by Microsoft and was identified as part of a set of smaller DLLs that de-obfuscate and load the Reflective Loader from the DLL’s CODE section. The transition from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) has been a focus of cybersecurity investigations. During the compromises that featured custom tools, APT29 used custom malware families including SUNBURST, BEACON droppers RAINDROP and TEARDROP, MAMADOGS, a credential theft tool, and CRIMSONBOX, a .NET tool that extracts the token signing certificate from an ADFS configuration. Raindrop was detected by Symantec, and the security community has since identified a growing collection of payloads attributed to the actor. Raindrop uses a combination of the AES-256 encryption algorithm (unique key per sample), LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. This is distinct from Type A loaders, which use a simple rolling XOR methodology to decode the Reflective Loader. The discovery of Raindrop and its associated malware variants has provided significant insight into the tactics and techniques of advanced persistent threat actors and their evolving strategies.