TEARDROP Malware Description

TEARDROP is one of the malware threats leveraged in the supply-chain attack against Solarwind's Orion platform. The threat actor unleashed a slew of different threatening tools in accordance with the specific goals of the operation and the particular infected target. The never-before-seen TEARDROP malware acted as a second-stage dropper, tasked with the delivery of a next-stage payload - the Cobalt Strike Beacon Implant (Version 4). It should be noted that Cobalt Strike is a legitimate Remote Access Tool designed to be used in penetration tests. However, its vast set of potent functions have made it a popular fixture in the arsenal of multiple hacker groups. Cobalt Strike allows a potential threat actor to establish near full control over the compromised system. The RAT (Remote Access Tool) can be commanded to establish keylogging routines, take arbitrary shots on the system, deliver additional harmful payloads, manipulate the file system, and exfiltrate select sensitive data to remote servers through encrypted tunnels.

TEARDROP Malware's Structure

The TEARDROP dropper a threatening 64-bit dynamic-link library (DLL) that operates in memory entirely without writing any files on disk. It runs as a service, spawns a thread, and reads the first 64-bytes of a file named 'festive_computer.jpg.' The data is not needed for anything and the threat will continue with its operations even without the 'festive_computer.jpg' file. The actual name of the file may vary, as some infosec researchers have detected other versions such as 'gracious_truth.jpg.'

The next step for the TEARDROP malware is to check for the presence of HKU\SOFTWARE\Microsoft\CTF and decode the embedded Cobalt Strike beacon payload via a custom XOR algorithm. Finally, the dropper loads the embedded payload into memory through a custom PE-like format.

TEARDROP is closely related to another dropper family observed in the same supply-chain attack named Raindrop. The two threats have identical functionalities and significant overlaps virtually, and they do exhibit some key differences. The biggest distinguishing factor between the two malware families is the use of a different packer for Raindrop.