Raindrop
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[1][2] |
|
| Enterprise | T1036 | Masquerading |
Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.[1][2] |
|
| .005 | Match Legitimate Name or Location |
Raindrop was installed under names that resembled legitimate Windows file and directory names.[1][2] |
||
| Enterprise | T1027 | Obfuscated Files or Information |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[1][2] |
|
| .002 | Software Packing |
Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.[1][2] |
||
| .003 | Steganography |
Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.[1] |
||
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
After initial installation, Raindrop runs a computation to delay execution.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |
References
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.