Raindrop

Malware updated 5 months ago (2024-05-04T21:19:15.093Z)
Download STIX
Preview STIX
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Raindrop, like TEARDROP, functions as a custom Cobalt Strike loader, responsible for decoding/decrypting an embedded Cobalt Strike Beacon stage shellcode and executing it in memory. It's also known as Trojan:Win64/Solorigate.SB!dha by Microsoft and was identified as part of a set of smaller DLLs that de-obfuscate and load the Reflective Loader from the DLL’s CODE section. The transition from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) has been a focus of cybersecurity investigations. During the compromises that featured custom tools, APT29 used custom malware families including SUNBURST, BEACON droppers RAINDROP and TEARDROP, MAMADOGS, a credential theft tool, and CRIMSONBOX, a .NET tool that extracts the token signing certificate from an ADFS configuration. Raindrop was detected by Symantec, and the security community has since identified a growing collection of payloads attributed to the actor. Raindrop uses a combination of the AES-256 encryption algorithm (unique key per sample), LZMA compression, and a single-byte XOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. This is distinct from Type A loaders, which use a simple rolling XOR methodology to decode the Reflective Loader. The discovery of Raindrop and its associated malware variants has provided significant insight into the tactics and techniques of advanced persistent threat actors and their evolving strategies.
Description last updated: 2024-05-04T20:21:15.765Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Raindrop Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more