
Researchers traced another strain malware that used in SolarWinds Supply chain attack. The attackers also used another tool very similar to Teardrop for lateral movement and to deliver the same Cobalt Strike payload. Raindrop, described by the company as a loader and tracked as Backdoor.Raindrop, was spotted on compromised networks but, unlike Teardrop, it doesn’t appear to have been delivered directly by Sunburst.
Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by SunBurst.
On devices infected with Raindrop, the researchers also noticed tools that can be used to obtain passwords and keys, and saw the execution of PowerShell commands with the goal of executing instances of Raindrop on other devices on the network.
While Raindrop is similar to Teardrop, Symantec says they use different packers and there are differences in Cobalt Strike configurations. In one instance, Cobalt Strike was configured to use SMB Named Pipe as a communications protocol rather than HTTPS, which led experts to believe that the compromised device did not have direct access to the internet, forcing the attackers to route C&C communications through another computer on the network.
Each day one new strains getting in to limelight …its getting bigger… Bitter … Huge..