Raindrop
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Raindrop was installed under names that resembled legitimate Windows file and directory names.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
.003 | Obfuscated Files or Information: Steganography |
Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.(Citation: Symantec RAINDROP January 2021) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
||
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
After initial installation, Raindrop runs a computation to delay execution.(Citation: Symantec RAINDROP January 2021) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0118 | UNC2452 |
(Citation: Symantec RAINDROP January 2021) |
G0016 | APT29 |
(Citation: Symantec RAINDROP January 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) |
(Citation: Microsoft Deep Dive Solorigate January 2021) (Citation: Symantec RAINDROP January 2021) |
References
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.