1. Home
  2. Software
  3. Raindrop

Raindrop

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.[1][2]

ID: S0565
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 19 January 2021
Last Modified: 11 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[1][2]
Enterprise T1036 Masquerading

Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.[1][2]
.005 Match Legitimate Name or Location

Raindrop was installed under names that resembled legitimate Windows file and directory names.[1][2]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.[1][2]
.003 Obfuscated Files or Information: Steganography

Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[1][2]
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

After initial installation, Raindrop runs a computation to delay execution.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][3][4][5][6][7]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[2][1]

References

  1. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  4. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  1. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  2. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  3. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.