Researchers Uncover Raindrop: Fourth Malware Tied to SolarWinds Attack

Cybersecurity analysts have recently identified a new malware strain dubbed “Raindrop” as part of the SolarWinds supply chain attack, a significant breach that was uncovered late last year. This fourth strain adds to the existing suite of malicious tools, including Sunspot, Sunburst (also referred to as Solorigate), and Teardrop, all of which have stealthily infiltrated enterprise networks.

Discovered by researchers at Symantec, a subsidiary of Broadcom, Raindrop is designed to propagate itself across various systems within the compromised network. The ongoing investigation into the breach, which is believed to have Russian origins, has affected multiple U.S. government agencies and private sector firms, raising alarms about potential national security implications.

Symantec emphasized that the detection of Raindrop marks a crucial milestone in understanding the aftermath of the SolarWinds attacks. Their research indicates that Raindrop has been utilized for lateral movement within infected networks, effectively enabling attackers to deploy further payloads on additional systems, a tactic consistent with the MITRE ATT&CK framework’s persistence and lateral movement techniques.

To date, researchers have identified only a handful of Raindrop samples, which were primarily employed to deliver the Cobalt Strike Beacon. This in-memory backdoor is capable of executing commands, capturing keystrokes, transferring files, escalating privileges, and conducting port scans—strategies that align with adversary tactics aimed at maintaining access within targeted environments.

In a broader context, last month, Symantec reported that over 2,000 systems belonging to about 100 clients had received compromised SolarWinds Orion software updates. Some of these targets were infected with Teardrop, another payload also capable of introducing the Cobalt Strike Beacon into victim networks. The goal appears to be obfuscation; researchers note that the dependencies between these malware strains may have been designed to complicate attribution efforts.

Importantly, while Teardrop functioned on machines already compromised by the initial Sunburst Trojan, Raindrop has emerged in other areas of the network, indicating strategic lateral movements to ensure comprehensive coverage and further vulnerabilities for exploitation. The attackers initially utilized Sunspot malware to compromise SolarWinds’ build environment, enabling the injection of the Sunburst Trojan into their Orion network monitoring tool, which was subsequently distributed to 18,000 customers.

Microsoft’s analysis of these attacks has revealed that threat actors were selective in their target approach, opting for escalation in specific, high-value scenarios based on a preliminary assessment of the compromised environments. The emergence of Raindrop raises additional concerns; while it acts as a dropper for Cobalt Strike Beacon, unlike Teardrop, Raindrop demonstrates a targeted method for extending influence across networks that have already been compromised.

In summary, the ongoing developments surrounding Raindrop underscore the resilience and adaptability of the threat landscape. Symantec has not disclosed specific organizations affected by this latest malware strain but noted its presence on systems executing access and management software, thereby amplifying the urgency for robust cybersecurity measures within U.S.-based organizations.