SolarWinds: Raindrop Malware

Symantec company announced on January 19, 2021, that a new malicious software was detected in connection with the Solarwinds attack.

This installer, called Raindrop, draws attention with its similarity to the previously found Teardrop malware.

Raindrop triggers the Cobaltstrike Beacon malware. Raindrop is compiled as a DLL and communicates over HTTPS traffic.

According to preliminary studies, it has been determined that Raindrop is specially placed to spread horizontally in the network of target systems.

Sunburst / Teardrop / Raindrop Signs

It is recommended that the following signs (ioc) must be followed in detecting systems and entered as signature in blocking devices.

SHA256

118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51 1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c 1ec138f21a315722fb702706b4bdc0f544317f130f4a009502ec98345f85e4ad 2a276f4b11f47f81dd2bcb850a158d4202df836769da5a23e56bf0353281473e 327f1d94bc26779cbe20f8689be12c7eee2e390fbddb40b92ad00b1cddfd6426 3985dea8e467c56e8cc44ebfc201253ffee923765d12808aaf17db2c644c4c06 557f91404fb821d7c1e98d9f2f5296dc12712fc19c87a84602442b4637fb23d4 5cf85c3d18cd6dba8377370883a0fffda59767839156add4c8912394f76d6ef0 5f8650ca0ed22ad0d4127eb4086d4548ec31ad035c7aec12c6e82cb64417a390 674075c8f63c64ad5fa6fd5e2aa6e4954afae594e7b0f07670e4322a60f3d0cf 6ff3a4f7fd7dc793e866708ab0fe592e6c08156b1aa3552a8d74e331f1aea377 7c68f8d80fc2a6347da7c196d5f91861ba889afb51a4da4a6c282e06ef5bdb7e 915705c09b4bd108bcd123fe35f20a16d8c9c7d38d93820e8c167695a890b214 948bfdfad43ad52ca09890a4d2515079c29bdfe02edaa53e7d92858aa2dfbe4c 955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3 b348546f4c6a9bcafd81015132f09cf8313420eb653673bf3d65046427b1167f b35e0010e0734fcd9b5952ae93459544ae33485fe0662fae715092e0dfb92ad3 b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 be9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725 c5a818d9b95e1c548d6af22b5e8663a2410e6d4ed87df7f9daf7df0ef029872e c741797dd400de5927f8b5317165fc755d6439749c39c380a1357eac0a00f90c c7924cc1bc388cfcdc2ee2472899cd34a2ef4414134cbc23a7cb530650f93d98 c96b7a3c9acf704189ae8d6124b5a7b1f0e8c83c246b59bc5ff15e17b7de4c84 cbbe224d9854d6a4269ed2fa9b22d77681f84e3ca4e5d6891414479471f5ca68 cdd9b4252ef2f6e64bccc91146ec5dc51d94e2761184cd0ffa9909aa739fa17e dbd26ccb3699f426dc6799e218b91d1a3c1d08ad3006bc2880e29c755a4e2338 e60e1bb967db273b922deeea32d56fc6d9501a236856ef9a3e5f76c1f392000a f2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418 f61a37aa8581986ba600286d65bb76100fb44e347e253f1f5ad50051e5f882f5 f81987f1484bfe5441be157250b35b0a2d7991cf9272fa4eacd3e9f0dee235de

File Paths (Cobalt Strike Beacon Loader)

C:\Windows\ms\sms\sms.dll
C:\Windows\Microsoft.NET\Framework64\sbscmp30.dll
C:\Windows\AUInstallAgent\auagent.dll
C:\Windows\apppatch\apppatch64\sysmain.dll
C:\Windows\Vss\Writers\Application\AppXML.dll
C:\Windows\PCHEALTH\health.dll
C:\Windows\Registration\crmlog.dll
C:\Windows\Cursors\cursrv.dll
C:\Windows\AppPatch\AcWin.dll
C:\Windows\CbsTemp\cbst.dll
C:\Windows\AppReadiness\Appapi.dll
C:\Windows\Panther\MainQueueOnline.dll
C:\Windows\AppReadiness\AppRead.dll
C:\Windows\PrintDialog\PrintDial.dll
C:\Windows\ShellExperiences\MtUvc.dll
C:\Windows\PrintDialog\appxsig.dll
C:\Windows\DigitalLocker\lock.dll
C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.dll
C:\Windows\Migration\WTR\ctl.dll
C:\Windows\ELAMBKUP\WdBoot.dll
C:\Windows\LiveKernelReports\KerRep.dll
C:\Windows\Speech_OneCore\Engines\TTS\en-US\enUS.Name.dll
C:\Windows\SoftwareDistribution\DataStore\DataStr.dll
C:\Windows\RemotePackages\RemoteApps\RemPack.dll
C:\Windows\ShellComponents\TaskFlow.dll

Beacon domains

aimsecurity[.]net

datazr[.]com

ervsystem[.]com

financialmarket[.]org

gallerycenter[.]org

infinitysoftwares[.]com

mobilnweb[.]com

olapdatabase[.]com

swipeservice[.]com

techiefly[.]com

URLs

URL https(://)panhardware(.)com/files/documentation_076.pdf

URL https(://)panhardware(.)com/wp-admin/new_file.php

URL panhardware[.]com

URL https(://)bigtopweb(.)com/files/page_306.pdf

URL https(://)bigtopweb(.)com/wp-admin/admin-ajax.php

URL https(://)infinitysoftwares(.)com/files/information_055.pdf

URL https(://)infinitysoftwares(.)com/wp-admin/new_file.php

Additional Information

Symantec Raindrop Investigation

Current Security Vulnerability Reports

SolarWinds Serv-U Remote Code Execution Vulnerability

21/07/2021

Microsoft Exchange Server Remote Code Execution Vulnerability-34473

21/07/2021

Microsoft Exchange Server Remote Code Execution Vulnerability-31206

21/07/2021

VMware VCenter Remote Code Execution Vulnerability

26/05/2021

Microsoft Exchange Server Remote Code Execution Vulnerabilities

14/04/2021

March 2021 Microsoft Exchange 0-Day Reports

03/03/2021

Spectre Vulnerability Exploitation

03/03/2021

Masslogger Phishing Campaign

19/02/2021

SolarWinds: Raindrop Malware

20/01/2021

SolarWinds Orion API Authentication Bypass Vulnerability

28/12/2020

SolarWinds Sunburst Attack Campaign

22/12/2020

StrongPity Watering Hole

07/07/2020

Microsoft SMBv3 Compression Vulnerability

11/03/2020

Critical Microsoft Vulnerability – March 2020

11/03/2020

MS Exchange Validation Key Remote Code Execution Vulnerability

28/02/2020

İSTANBUL

+90 216 504 53 30

+90 216 504 53 32

info@barikat.com.tr

Aydınevler Mahallesi,İsmet İnönü Cadddesi,Küçükyalı Ofis Park A Blok,No:20/1 Maltepe İstanbul

ANKARA

+90 312 235 44 41

+90 312 235 44 51

info@barikat.com.tr

Mustafa Kemal Mahallesi, Dumlupınar Bulvarı No:164, Kentpark Ofis, Kat:4 Daire:06 Çankaya, 06510 Ankara, Turkey

AMSTERDAM

+90 216 504 53 30

+90 216 504 53 32

info@barikatbv.com

Millenium Tower Floor 29, Radarweg 29 1045 XN Amsterdam, Netherlands

VULNERABILITY NEWSLETTER

You can register to our newsletter on the home page to be instantly informed about security vulnerabilities.

SolarWinds: Raindrop Malware