SYMBOLCOMMON_NAMEaka. SYNONYMS
win.teardrop (Back to overview)

TEARDROP

Actor(s): UNC2452

TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.

References
2022-07-31BushidoToken BlogBushidoToken
Space Invaders: Cyber Threats That Are Out Of This World
Poison Ivy Raindrop SUNBURST TEARDROP WastedLocker
2022-07-18Palo Alto Networks Unit 42Unit 42
Solar Phoenix
SUNBURST TEARDROP UNC2452
2022-04-27MandiantMandiant
Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-13YouTube ( Matt Soseman)Matt Soseman
Solarwinds and SUNBURST attacks compromised my lab!
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-07-13SymantecThreat Hunter Team
Attacks Against the Government Sector
Raindrop TEARDROP
2021-06-01SANSJake Williams, Kevin Haley
A Contrarian View on SolarWinds
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-03-08Youtube (SANS Digital Forensics and Incident Response)Adam Pennington, Jen Burns, Katie Nickels
STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
Cobalt Strike SUNBURST TEARDROP
2021-03-04MicrosoftAndrea Lelli, Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC), Ramin Nafisi
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
SUNBURST TEARDROP UNC2452
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-16AccentureAlexandrea Berninger
Hard lessons learned: Threat intel takeaways from the community response to Solarigate
SUNBURST TEARDROP
2021-02-09SecurehatSecurehat
Extracting the Cobalt Strike Config from a TEARDROP Loader
Cobalt Strike TEARDROP
2021-02-08US-CERTUS-CERT
Malware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP
TEARDROP
2021-01-20MicrosoftMicrosoft 365 Defender Research Team, Microsoft Cyber Defense Operations Center (CDOC), Microsoft Threat Intelligence Center (MSTIC)
Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
Cobalt Strike SUNBURST TEARDROP
2021-01-18SymantecThreat Hunter Team
Raindrop: New Malware Discovered in SolarWinds Investigation
Cobalt Strike Raindrop SUNBURST TEARDROP
2021-01-12BrightTALK (FireEye)Ben Read, John Hultquist
UNC2452: What We Know So Far
Cobalt Strike SUNBURST TEARDROP
2021-01-11SolarWindsSudhakar Ramakrishna
New Findings From Our Investigation of SUNBURST
Cobalt Strike SUNBURST TEARDROP
2021-01-04Twitter (@TheEnergyStory)Dominik Reichel
Some small detail on compiler used for TEARDROP
TEARDROP
2021-01-01SymantecSymantec Threat Hunter Team
Supply Chain Attacks:Cyber Criminals Target the Weakest Link
Cobalt Strike Raindrop SUNBURST TEARDROP
2020-12-28MicrosoftMicrosoft 365 Defender Team
Using Microsoft 365 Defender to protect against Solorigate
SUNBURST TEARDROP
2020-12-24Twitter (@TheEnergyStory)Dominik Reichel
Tweet on TEARDROP sample
TEARDROP
2020-12-23Palo Alto Networks Unit 42Unit 42
A Timeline Perspective of the SolarStorm Supply-Chain Attack
SUNBURST TEARDROP
2020-12-22CheckpointCheck Point Research
SUNBURST, TEARDROP and the NetSec New Normal
SUNBURST TEARDROP
2020-12-22Medium mitre-attackAdam Pennington, Matt Malone
Identifying UNC2452-Related Techniques for ATT&CK
SUNBURST TEARDROP UNC2452
2020-12-21MicrosoftMSRC Team
Solorigate Resource Center
SUNBURST TEARDROP
2020-12-21FortinetUdi Yavo
What We Have Learned So Far about the “Sunburst”/SolarWinds Hack
Cobalt Strike SUNBURST TEARDROP
2020-12-18Costin Raiu
Tweet from Costin Raiu about confirmed TEARDROP sample
TEARDROP
2020-12-18MicrosoftMicrosoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)
Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-14SymantecThreat Hunter Team
Sunburst: Supply Chain Attack Targets SolarWinds Users
SUNBURST TEARDROP
2020-12-14Cisco TalosNick Biasini
Threat Advisory: SolarWinds supply chain attack
SUNBURST TEARDROP
2020-12-13FireEyeAlex Berry, Alex Pennino, Alyssa Rahman, Andrew Archer, Andrew Rector, Andrew Thompson, Barry Vengerik, Ben Read, Ben Withnell, Chris DiGiamo, Christopher Glyer, Dan Perez, Dileep Jallepalli, Doug Bienstock, Eric Scales, Evan Reese, Fred House, Glenn Edwards, Ian Ahl, Isif Ibrahima, Jay Smith, John Gorman, John Hultquist, Jon Leathery, Lennard Galang, Marcin Siedlarz, Matt Dunwoody, Matthew McWhirt, Michael Sikorski, Microsoft, Mike Burns, Nalani Fraiser, Nick Bennett, Nick Carr, Nick Hornick, Nick Richard, Nicole Oppenheim, Omer Baig, Ramin Nafisi, Sarah Jones, Scott Runnels, Stephen Eckels, Steve Miller, Steve Stone, William Ballenthin
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-12-13Github (fireeye)FireEye
SUNBURST Countermeasures
SUNBURST SUPERNOVA TEARDROP UNC2452
2020-01-22Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP

There is no Yara-Signature yet.