SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
TEARDROP
ID: S0560
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.1
Created: 06 January 2021
Last Modified: 26 April 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
TEARDROP ran as a Windows service from the |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[1][3][2] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
TEARDROP files had names that resembled legitimate Window file and directory names.[1][2] |
| Enterprise | T1112 | Modify Registry |
TEARDROP modified the Registry to create a Windows service for itself on a compromised host.[3] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[1][3][2] |
|
| Enterprise | T1012 | Query Registry |
TEARDROP checked that |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |
References
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
×