TEARDROP

Description

(FireEye) Multiple SUNBURST samples have been recovered, delivering different payloads. In at least one instance the attackers deployed a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike BEACON.

Names

Name
TEARDROP

Category

Malware

Type

• Dropper

Information

• https://us-cert.cisa.gov/ncas/alerts/aa20-352a
• http://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
• https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
• https://github.com/fireeye/sunburst_countermeasures
• https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
• https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
• https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
• https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
• https://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/
• https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
• https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public-sector-via-supply-chain-software-update/
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-solarwinds-supply-chain-attack
• https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
• https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/
• https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
• https://www.cadosecurity.com/post/responding-to-solarigate
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data
• https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
• https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sunburst-malware-and-solarwinds-supply-chain-compromise/
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/
• https://www.tripwire.com/state-of-security/vert/vert-alert-solar-winds-supply-chain-attack/
• https://blog.cyberint.com/solarwinds-supply-chain-attack
• https://blog.checkpoint.com/2020/12/21/best-practice-identifying-and-mitigating-the-impact-of-sunburst/
• https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
• https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q
• https://blog.qualys.com/qualys-insights/2020/12/22/qualys-security-advisory-solarwinds-fireeye
• https://www.cyfirma.com/solarwinds-hack-sunburst-supernova-and-more/
• https://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b

Mitre Attack

• https://attack.mitre.org/software/S0560/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop

Other Information

Uuid

65d92c90-e74c-44ae-9362-1065b68c4ed0

Last Card Change

2022-12-30