Cyber Threat Advisory: TEARDROP Malware

Share On Facebook
Share On Twitter
Share On Linkedin

Author: James Barnett

TLP:WHITE

1.   Executive Summary

On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds’ Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload – Cobalt Strike Beacon Implant (Version 4) – that enables the attacker to remotely control infected systems through an encrypted network tunnel.

2.   Analysis

                 2.1.    TEARDROP DLL

CISA reports that TEARDROP is a malicious 64-bit dynamic-link library (DLL) that decrypts and loads a malicious payload from an embedded code buffer. When executed, the malware attempts to read the first 64-bytes of a file named festive_computer.jpg but it does not actually utilize the data it reads from this file and will continue executing even if the file doesn’t exist. After attempting to read festive_computer.jpg, the TEARDROP DLL uses an XOR cipher to decrypt and execute the Cobalt Strike Beacon Implant (Version 4) remote access tool (RAT) contained within its embedded code buffer. TEARDROP does not create any files during this process since the malware operates entirely within memory.

                 2.2.    Cobalt Strike

Cobalt Strike is a legitimate penetration testing tool that has become increasingly popular amongst threat actors due to its wide array of powerful features. Its capabilities include keylogging, taking screenshots, deploying additional payloads, exploiting system vulnerabilities to facilitate additional attacks, evading detection with various countermeasures, rapidly exfiltrating data through encrypted tunnels, and more.2

3.   Prevention and Mitigation

CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), “Guide to Malware Incident Prevention & Handling for Desktops and Laptops” for more information on malware incident prevention and handling.3

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

4.   Indicators of Compromise 

Indicator

 Description

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c
b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

 TEARDROP loader SHA256 hashes

NETSETUPSVC.DLL
libintl3.dll

TEARDROP loader original filenames

ervsystem[.]com
infinitysoftwares[.]com

Cobalt Strike Beacon C&C domains
http://ervsystem[.]com/2019/Two-Man-Point-The-Brands/
http://ervsystem[.]com/2019/Users-Case-Documentation-And-Yourselt/http://infinitysoftwares[.]com/files/information_055.pdf
http://infinitysoftwares[.]com/wp-admin/new_file.php

Cobalt Strike Beacon C&C URLs

 

Endnotes

  1. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b
  2. https://www.cobaltstrike.com/features
  3. https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×