Security News > 2021 > January > SolarWinds Hackers Used 'Raindrop' Malware for Lateral Movement

The threat group behind the supply chain attack that targeted Texas-based IT management company SolarWinds leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads, Broadcom-owned cybersecurity firm Symantec reported on Tuesday.

These malicious updates delivered a piece of malware named Sunburst, which the attackers inserted into the Orion product using another piece of malware, named Sunspot.

In the case of a few hundred victims that presented an interest to them, including government and high-profile private organizations, the hackers also delivered a piece of malware named by researchers Teardrop, which in turn attempted to deploy a custom version of Cobalt Strike's Beacon payload. According to Symantec, the attackers also used another tool - very similar to Teardrop - for lateral movement and to deliver the same Cobalt Strike payload. Raindrop, described by the company as a loader and tracked as Backdoor.

"Raindrop appears to have been used for spreading across the victim's network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst," Symantec said in a blog post.

On devices infected with Raindrop, the company also noticed tools that can be used to obtain passwords and keys, and saw the execution of PowerShell commands with the goal of executing instances of Raindrop on other devices on the network.

Kaspersky recently found a link between the Sunburst malware and Kazuar, a piece of malware previously connected to a Russian cyberspy group known as Turla.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/xV2Euh7dT3Y/solarwinds-hackers-used-raindrop-malware-lateral-movement