TEARDROP

Malware Profile Updated a month ago
Download STIX
Preview STIX
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the same threat actor. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. Teardrop is unique as it does not contain a custom preliminary loader, instead, the loader DLL de-obfuscates and executes the Cobalt Strike Reflective DLL in memory. Microsoft has analyzed two versions of this second-stage custom Cobalt Strike Beacon loader, known as Teardrop. The malware was detected during the Solorigate investigation, where it was likely generated using custom Artifact Kit templates. Notably, Teardrop is a memory-only dropper that runs as a service, spawns a thread, and reads from the file "gracious_truth.jpg," which likely has a fake JPG header. In at least one instance, the attackers deployed Teardrop to execute a customized Cobalt Strike BEACON. The communication with the command and control server (C2) is mainly carried out through rundll32.exe. Mitigation strategies have been provided by FireEye, which includes Yara rules to detect Teardrop. Defenders should look for specific alerts from FireEye HX: MalwareGuard and WindowsDefender. Teardrop does not have code overlap with any previously seen malware, making its detection and mitigation a challenging task. The threat actors also match the hostnames on their command and control infrastructure to legitimate hostnames found within the victim's environment, further complicating the detection process. Despite these challenges, ongoing efforts by cybersecurity firms continue to monitor and mitigate this threat.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
SUNBURST
2
Sunburst is a sophisticated malware that infiltrated SolarWinds' Orion platform, causing significant cybersecurity concerns. The malware was linked to Kazuar due to code resemblance, indicating its high level of complexity. The Sunburst campaign was exposed in December 2020 by cybersecurity firm Fir
Beacon
1
None
Cobalt Strike Beacon
1
Cobalt Strike Beacon is a form of malware that has been linked to significant ransomware activity. It is loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an encrypted version via vm.cfg. This malicious software can infiltrate systems and enable backdoor functiona
Solorigate
1
Solorigate, also known as SUNBURST, is a sophisticated malware that was used in a series of cyberattacks in 2021. The malware was discovered to have been implanted into the SolarWinds Orion software through a supply-chain compromise, which Microsoft initially dubbed as "Solorigate". This allowed the
Mamadogs
1
None
Crimsonbox
1
None
Raindrop
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Microsoft
Malware
Trojan
Github
Exploit
exploitation
Implant
Shellcode
Payload
Beacon
Malwarebytes
Dropper
Loader
Cobalt Strike
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GoldMaxUnspecified
2
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowled
SibotUnspecified
1
Sibot is a malware that operates as a dual-purpose VBScript, designed to achieve persistence on an infected machine and then download and execute payloads from a remote C2 server. It reaches out to a compromised website to download a DLL to a folder under System32. Malware is harmful software capabl
SUNSPOTUnspecified
1
Sunspot is a sophisticated and novel malware associated with the SolarWinds intrusion that occurred in December 2020. This malicious software, linked to COZY BEAR (also known as APT29 or "The Dukes"), infiltrates systems undetected, often through suspicious downloads, emails, or websites. Once insid
NativeZoneUnspecified
1
NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, and
trojan:win64/solorigate.sa!dhaUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StellarParticleUnspecified
1
StellarParticle, a threat actor associated with the COZY BEAR adversary group, has been identified as a significant cybersecurity risk by CrowdStrike. StellarParticle is known for its extensive knowledge of Windows and Linux operating systems, Microsoft Azure, O365, and Active Directory, and it has
APT29Unspecified
1
APT29, also known as Midnight Blizzard and CozyBear, is a Russia-linked threat actor known for executing actions with malicious intent. This group has been involved in several high-profile cyber attacks, exploiting vulnerabilities in software and systems to compromise their targets. APT29 has utiliz
NOBELIUMUnspecified
1
Nobelium, a threat actor also known as Midnight Blizzard and Cozy Bear, is a Russian state-sponsored entity notorious for executing actions with malicious intent. Known for its sophisticated methods, Nobelium uses a tool called FoggyWeb to remotely exfiltrate the configuration database of compromise
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TEARDROP Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Raindrop: New Malware Discovered in SolarWinds Investigation
MITRE
a year ago
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop - Microsoft Security Blog
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog
MITRE
a year ago
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | Mandiant
MITRE
a year ago
FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor - Microsoft Security Blog
MITRE
a year ago
New sophisticated email-based attack from NOBELIUM - Microsoft Security Blog
MITRE
a year ago
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence - Microsoft Security Blog
MITRE
a year ago
Security Advisory | SolarWinds
MITRE
6 months ago
SolarStorm Supply Chain Attack Timeline
CERT-EU
a year ago
Liaison : la série avec Vincent Cassel et Eva Green est le premier raté d'AppleTV+
MITRE
a year ago
SUNSPOT Malware: A Technical Analysis | CrowdStrike
MITRE
6 months ago
Assembling the Russian Stacking Doll: UNC2452 Merged into APT29
Malwarebytes
10 months ago
Microsoft Teams used in phishing campaign to bypass multi-factor authentication