OVERVIEW
TEARDROP is fileless malware that functions as a dropper. The malware, which was first observed in late 2020, was observed as part of the SUNBURST infection chain used to conduct the SolarWinds attacks in late 2020. The dropper was generated using custom Artifact Kit template, and drops a preliminary loader, which in turn drops the Cobalt Strike Reflective Loader.
TARGETING
The full extent of targeting relating to TEARDROP/SUNBURST is difficult to determine. While early media reports indicated that up to 18,000 SolarWinds customers may have been impacted, later reports by the company say "customers who were hacked through SUNBURST [were] fewer than 100." This could indicate that all customers that applied the updated were impacted, but the adversary only actively targeted less than 100.
It is known that several multi-national American IT companies were impacted to varying degrees, as well as a number of US federal government departments.
TEARDROP DELIVERY
The malware is delivered using the SUNBURST implant.
TEARDROP INSTALLATION
There are at least two known variants of the the loader. The first, a service DLL loaded by svchost.exe, and a non-service DLL loaded using rundll32.exe.
When executing, TEARDROP attempts to open a JPEG file using the format _.jpeg (examples have included festive_computer.jpg, upbeat_anxiety.jpg, confident_promotion.jpg, and gracious_truth.jpg).
The malware will then check the registry key SOFTWARE\Microsoft\CTF and if it is present, will silently exit.
TEARDROP PERSISTENCE
TEARDROP establishes persistence using a Windows service, which relies on the dropper editing the Windows registry.