1. Home
  2. Software
  3. TEARDROP

TEARDROP

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.[1][2]

ID: S0560
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 06 January 2021
Last Modified: 27 March 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.[3][1]
Enterprise T1140 Deobfuscate/Decode Files or Information

TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[1][3][2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TEARDROP files had names that resembled legitimate Window file and directory names.[1][2]
Enterprise T1112 Modify Registry

TEARDROP modified the Registry to create a Windows service for itself on a compromised host.[3]
Enterprise T1027 Obfuscated Files or Information

TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[1][3][2]
Enterprise T1012 Query Registry

TEARDROP checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.[1][2]

Groups That Use This Software

ID Name References
G0016 APT29

[1][4][5][6][7][8][9]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[2][10][1]

References

  1. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  4. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
  5. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  1. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  2. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  3. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  4. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.
  5. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.