Teardrop is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by UNC2452 since at least May 2020.[1][2]

ID: S0560
Platforms: Windows
Version: 1.0
Created: 06 January 2021
Last Modified: 25 January 2021

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Teardrop ran as a Windows service from the c:\windows\syswow64 folder.[3][1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Teardrop was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[1][3][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Teardrop files had names that resembled legitimate Window file and directory names.[1][2]

Enterprise T1112 Modify Registry

Teardrop modified the Registry to create a Windows service for itself on a compromised host.[3]

Enterprise T1027 Obfuscated Files or Information

Teardrop created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[1][3][2]

Enterprise T1012 Query Registry

Teardrop checked that HKU\SOFTWARE\Microsoft\CTF existed before decoding its embedded payload.[1][2]

Groups That Use This Software

ID Name References
G0118 UNC2452