TEARDROP is fileless malware that functions as a dropper. The malware, which was first observed in late 2020, was observed as part of the SUNBURST infection chain used to conduct the SolarWinds attacks in late 2020. The dropper was generated using custom Artifact Kit template, and drops a preliminary loader, which in turn drops the Cobalt Strike Reflective Loader.
The full extent of targeting relating to TEARDROP/SUNBURST is difficult to determine. While early media reports indicated that up to 18,000 SolarWinds customers may have been impacted, later reports by the company say "customers who were hacked through SUNBURST [were] fewer than 100." This could indicate that all customers that applied the updated were impacted, but the adversary only actively targeted less than 100.
It is known that several multi-national American IT companies were impacted to varying degrees, as well as a number of US federal government departments.
The malware is delivered using the SUNBURST implant.
There are at least two known variants of the the loader. The first, a service DLL loaded by svchost.exe, and a non-service DLL loaded using rundll32.exe.
When executing, TEARDROP attempts to open a JPEG file using the format _.jpeg (examples have included festive_computer.jpg, upbeat_anxiety.jpg, confident_promotion.jpg, and gracious_truth.jpg).
The malware will then check the registry key SOFTWARE\Microsoft\CTF and if it is present, will silently exit.
TEARDROP establishes persistence using a Windows service, which relies on the dropper editing the Windows registry.
Get the Free Hunt Packages!
Check Out Other Emerging Threats >
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Lynx Ransomware is rapidly expanding, targeting organizations across North America and Europe with data theft and double extortion, backed by a growing network of skilled affiliates.
Threat actors are increasingly using methods to circumvent multifactor authentication, which poses a risk of account takeover. Here’s a briefing on some types of attacks and defenses to put in place.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.