Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Raindrop

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
ID: S0565
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 19 Jan 2021
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Raindrop was installed under names that resembled legitimate Windows file and directory names.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

.003 Obfuscated Files or Information: Steganography

Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.(Citation: Symantec RAINDROP January 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

After initial installation, Raindrop runs a computation to delay execution.(Citation: Symantec RAINDROP January 2021)

Groups That Use This Software

ID Name References
G0118 UNC2452

(Citation: Symantec RAINDROP January 2021)

G0016 APT29

(Citation: Symantec RAINDROP January 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile)

(Citation: Microsoft Deep Dive Solorigate January 2021) (Citation: Symantec RAINDROP January 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.