TEARDROP

Malware updated 5 months ago (2024-05-04T21:18:10.380Z)
Download STIX
Preview STIX
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the same threat actor. This malicious software infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. Teardrop is unique as it does not contain a custom preliminary loader, instead, the loader DLL de-obfuscates and executes the Cobalt Strike Reflective DLL in memory. Microsoft has analyzed two versions of this second-stage custom Cobalt Strike Beacon loader, known as Teardrop. The malware was detected during the Solorigate investigation, where it was likely generated using custom Artifact Kit templates. Notably, Teardrop is a memory-only dropper that runs as a service, spawns a thread, and reads from the file "gracious_truth.jpg," which likely has a fake JPG header. In at least one instance, the attackers deployed Teardrop to execute a customized Cobalt Strike BEACON. The communication with the command and control server (C2) is mainly carried out through rundll32.exe. Mitigation strategies have been provided by FireEye, which includes Yara rules to detect Teardrop. Defenders should look for specific alerts from FireEye HX: MalwareGuard and WindowsDefender. Teardrop does not have code overlap with any previously seen malware, making its detection and mitigation a challenging task. The threat actors also match the hostnames on their command and control infrastructure to legitimate hostnames found within the victim's environment, further complicating the detection process. Despite these challenges, ongoing efforts by cybersecurity firms continue to monitor and mitigate this threat.
Description last updated: 2024-05-04T20:21:17.342Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
SUNBURST is a possible alias for TEARDROP. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Microsoft
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The GoldMax Malware is associated with TEARDROP. GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowledUnspecified
2