Cybersecurity researchers have discovered a new malware strain that was used in the now-infamous hack of SolarWinds Worldwide LLC last year.

Detailed Monday by researchers at Symantec, the malware, dubbed “Raindrop,” is a loader designed to deliver a payload of Cobalt Strike. That’s a form of penetration testing software favored by hackers which leaked online in November.

The Cobalt Strike code allows attackers to deploy an agent on a victim’s machine, giving them access for further activities. Those can include command execution, keylogging, file transfer, privilege escalation and port scanning. In this case, Raindrop distributes Cobalt Strike across a targeted network.

The use of Raindrop works in conjunction with other forms of malware also known to be used to target SolarWinds — Teardrop and Sunburst. “While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network,” the researchers note.

“The significance of a now fourth malware strain being discovered is that it further supports the assessment that the threat actors responsible for the SolarWinds compromise are likely a highly capable and resourceful nation-state-associated threat group,” Ivan Righi, cyber threat intelligence analyst at digital risk protection solutions provider Digital Shadows Ltd., told SiliconANGLE. “Considering the sophistication demonstrated by the threat actors, who left little forensic evidence and took extensive steps to cover their tracks, it is realistically possible that more malware strains may have been used in the attack which have not yet been identified.”

Righi added that few historical cybersecurity incidents have gotten this much attention and postmortem analysis. “This will likely result in more malware strains being discovered and reported as more of the scope of the attack is revealed,” he said.

Chris Morales, head of security analytics at artificial intelligence cybersecurity company Vectra AI Inc., noted that although the malware strains might slightly vary and more likely will be exposed, the behaviors related to the malware have been consistent: network reconnaissance for user accounts and passwords, followed by lateral movement to targeted systems with privilege escalation.

Photo: Pixabay