TEARDROP

Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the same threat actor. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. Teardrop is unique as it does not contain a custom preliminary loader, instead, the loader DLL de-obfuscates and executes the Cobalt Strike Reflective DLL in memory. Microsoft has analyzed two versions of this second-stage custom Cobalt Strike Beacon loader, known as Teardrop. The malware was detected during the Solorigate investigation, where it was likely generated using custom Artifact Kit templates. Notably, Teardrop is a memory-only dropper that runs as a service, spawns a thread, and reads from the file "gracious_truth.jpg," which likely has a fake JPG header. In at least one instance, the attackers deployed Teardrop to execute a customized Cobalt Strike BEACON. The communication with the command and control server (C2) is mainly carried out through rundll32.exe. Mitigation strategies have been provided by FireEye, which includes Yara rules to detect Teardrop. Defenders should look for specific alerts from FireEye HX: MalwareGuard and WindowsDefender. Teardrop does not have code overlap with any previously seen malware, making its detection and mitigation a challenging task. The threat actors also match the hostnames on their command and control infrastructure to legitimate hostnames found within the victim's environment, further complicating the detection process. Despite these challenges, ongoing efforts by cybersecurity firms continue to monitor and mitigate this threat.