Raindrop Malware Description
The Raindrop Malware is a backdoor Trojan that gives attackers access to the infected system for espionage. Due to its installation methods using hijacked, official update chains, users in at-risk workplaces should consider disabling software related to its campaign, such as SolarWinds' Orion Platform. Users also can protect their systems through devoted security solutions that should catch and delete the Raindrop Malware and related threats by default.
Newfound Rough Weather in Cyber-Spying Situations
By now, the phenomenon known as the 2019 SolarWinds supply-chain-compromise leading to Sunburst and Teardrop's distribution at the hands of the SUNSPOT Malware is well-understood. However, further analysis of victims provides rich clues about how in-depth the possibly-Russian hackers' activities go for spying. Besides the previous tools, their espionage uses what seems like a specialized replacement for Teardrop: a fourth Trojan, the Raindrop Malware.
The Raindrop Malware is very similar to Teardrop: both of them last-stage, backdoor-based Trojans that offer network access to compromised systems through the threat actor's C&C server. While their features and attacks have few differences, malware experts can point to some technicalities that are divergent points. For example, the Raindrop Malware utilizes steganography (hiding code inside of images) that Teardrop eschews, has a second layer of encryption for stealth, and includes different internal elements, such as obfuscating 'fake' code. The Raindrop Malware isn't a variant or fork off of Teardrop, despite its usage being almost identical in practice.
The installation technique that the Raindrop Malware uses also is a little different. Contrasting the numerous victims of Teardrop, the Raindrop Malware samples only number up to four so far. Besides the selectivity of infections, attackers also install the Raindrop Malware with an unknown, different mechanism that leaves less evidence on the hard drive for analysis. However, it's definitive that the Raindrop Malware is part of the overall SUNSPOT Malware infection strategy, which hijacks the software-building process at SolarWinds servers and contaminates official updates for compromising Orion Platform-using customers.
Brushing Unwanted Moisture Off a PC
The Raindrop Malware's campaign still is an excellent warning signal that even users who stick to official updates from reputable companies are at risk, assuming that the stakes are high enough for the hackers. Although malware researchers note similarities in code and operational methods between this campaign and some Russian espionage operations, confirmation of the threat actor remains non-definitive. For now, home users are at low risk, but both government and corporate network and server administrators should take note of the risk.
Since the Raindrop Malware uses infection tactics that imply no-files-generated techniques, users have even fewer symptoms than usual for identifying possible infections. Besides disabling the relevant software and Internet connections, users may protect their systems through the standard security steps. Their options include patching out publicly-known vulnerabilities, using strong passwords and limiting the accessibility of Remote Desktop features.
The Raindrop Malware infections come with an inherent presumption of privacy loss, wherein attackers may collect passwords and other sensitive information while leaving few traces or symptoms. Users still should employ dedicated and, hopefully, up-to-date security services for deleting the Raindrop Malware, after which they may re-secure their PCs and data through any necessary means.
Trojans tend to come in batches, but that theme holds even starker than usual with intelligence ops. The Raindrop Malware might be number four on its campaign's list of official, black hat tools, but more could be coming – despite years of activity against Orion customers.