Author: James Barnett
1. Executive Summary
On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds’ Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload – Cobalt Strike Beacon Implant (Version 4) – that enables the attacker to remotely control infected systems through an encrypted network tunnel.
2.1. TEARDROP DLL
CISA reports that TEARDROP is a malicious 64-bit dynamic-link library (DLL) that decrypts and loads a malicious payload from an embedded code buffer. When executed, the malware attempts to read the first 64-bytes of a file named festive_computer.jpg but it does not actually utilize the data it reads from this file and will continue executing even if the file doesn’t exist. After attempting to read festive_computer.jpg, the TEARDROP DLL uses an XOR cipher to decrypt and execute the Cobalt Strike Beacon Implant (Version 4) remote access tool (RAT) contained within its embedded code buffer. TEARDROP does not create any files during this process since the malware operates entirely within memory.
2.2. Cobalt Strike
Cobalt Strike is a legitimate penetration testing tool that has become increasingly popular amongst threat actors due to its wide array of powerful features. Its capabilities include keylogging, taking screenshots, deploying additional payloads, exploiting system vulnerabilities to facilitate additional attacks, evading detection with various countermeasures, rapidly exfiltrating data through encrypted tunnels, and more.2
3. Prevention and Mitigation
CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for more information on malware incident prevention and handling.3
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
4. Indicators of Compromise
|TEARDROP loader SHA256 hashes|
TEARDROP loader original filenames
Cobalt Strike Beacon C&C domains
Cobalt Strike Beacon C&C URLs