{"id":6011,"date":"2021-02-10T09:40:54","date_gmt":"2021-02-10T17:40:54","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6011"},"modified":"2024-04-26T13:20:54","modified_gmt":"2024-04-26T20:20:54","slug":"teardrop-malware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/","title":{"rendered":"Cyber Threat Advisory:  TEARDROP Malware"},"content":{"rendered":"<p>Author: James Barnett<\/p>\n<p>TLP:WHITE<\/p>\n<h3>1.\u00a0 \u00a0Executive Summary<\/h3>\n<p>On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.<sup>1<\/sup> Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload &#8211; Cobalt Strike Beacon Implant (Version 4) &#8211; that enables the attacker to remotely control infected systems through an encrypted network tunnel.<\/p>\n<h3>2.\u00a0 \u00a0Analysis<\/h3>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.1.\u00a0 \u00a0 TEARDROP DLL<\/h4>\n<p>CISA reports that TEARDROP is a malicious 64-bit dynamic-link library (DLL) that decrypts and loads a malicious payload from an embedded code buffer. When executed, the malware attempts to read the first 64-bytes of a file named <em>festive_computer.jpg<\/em> but it does not actually utilize the data it reads from this file and will continue executing even if the file doesn\u2019t exist. After attempting to read <em>festive_computer.jpg<\/em>, the TEARDROP DLL uses an XOR cipher to decrypt and execute the Cobalt Strike Beacon Implant (Version 4) remote access tool (RAT) contained within its embedded code buffer. TEARDROP does not create any files during this process since the malware operates entirely within memory.<\/p>\n<h4>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.2.\u00a0 \u00a0 Cobalt Strike<\/h4>\n<p>Cobalt Strike is a legitimate penetration testing tool that has become increasingly popular amongst threat actors due to its wide array of powerful features. Its capabilities include keylogging, taking screenshots, deploying additional payloads, exploiting system vulnerabilities to facilitate additional attacks, evading detection with various countermeasures, rapidly exfiltrating data through encrypted tunnels, and more.<sup>2<\/sup><\/p>\n<h3>3.\u00a0 \u00a0Prevention and Mitigation<\/h3>\n<p>CISA provides the following list of best practices to strengthen the security of an organization. In addition, CISA references the publication from the National Institute of Standards and Technology (NIST), \u201cGuide to Malware Incident Prevention &amp; Handling for Desktops and Laptops\u201d for more information on malware incident prevention and handling.<sup>3<\/sup><\/p>\n<ul>\n<li>Maintain up-to-date antivirus signatures and engines.<\/li>\n<li>Keep operating system patches up-to-date.<\/li>\n<li>Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.<\/li>\n<li>Restrict users&#8217; ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.<\/li>\n<li>Enforce a strong password policy and implement regular password changes.<\/li>\n<li>Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.<\/li>\n<li>Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.<\/li>\n<li>Disable unnecessary services on agency workstations and servers.<\/li>\n<li>Scan for and remove suspicious email attachments; ensure the scanned attachment is its &#8220;true file type&#8221; (i.e., the extension matches the file header).<\/li>\n<li>Monitor users&#8217; web browsing habits; restrict access to sites with unfavorable content.<\/li>\n<li>Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).<\/li>\n<li>Scan all software downloaded from the Internet prior to executing.<\/li>\n<li>Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).<\/li>\n<\/ul>\n<h4>4.\u00a0 \u00a0Indicators of Compromise<strong>\u00a0<\/strong><\/h4>\n<table width=\"680\">\n<tbody>\n<tr>\n<td width=\"532\">\n<p style=\"text-align: center;\"><strong>Indicator<\/strong><\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"148\"><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"532\">\n<p style=\"text-align: center;\">1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c<br \/>\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07<\/p>\n<\/td>\n<td style=\"text-align: center;\" width=\"148\">TEARDROP loader SHA256 hashes<\/td>\n<\/tr>\n<tr>\n<td width=\"532\">\n<p style=\"text-align: center;\">NETSETUPSVC.DLL<br \/>\nlibintl3.dll<\/p>\n<\/td>\n<td width=\"148\">\n<p style=\"text-align: center;\">TEARDROP loader original filenames<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"532\">\n<p style=\"text-align: center;\">ervsystem[.]com<br \/>\ninfinitysoftwares[.]com<\/p>\n<\/td>\n<td width=\"148\">\n<p style=\"text-align: center;\">Cobalt Strike Beacon C&amp;C domains<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" width=\"532\">http:\/\/ervsystem[.]com\/2019\/Two-Man-Point-The-Brands\/<br \/>\nhttp:\/\/ervsystem[.]com\/2019\/Users-Case-Documentation-And-Yourselt\/http:\/\/infinitysoftwares[.]com\/files\/information_055.pdf<br \/>\nhttp:\/\/infinitysoftwares[.]com\/wp-admin\/new_file.php<\/td>\n<td width=\"148\">\n<p style=\"text-align: center;\">Cobalt Strike Beacon C&amp;C URLs<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h3>Endnotes<\/h3>\n<ol>\n<li><a href=\"https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-039b\">https:\/\/us-cert.cisa.gov\/ncas\/analysis-reports\/ar21-039b<\/a><\/li>\n<li><a href=\"https:\/\/www.cobaltstrike.com\/features\">https:\/\/www.cobaltstrike.com\/features<\/a><\/li>\n<li><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final\">https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-83\/rev-1\/final<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: James Barnett TLP:WHITE 1.\u00a0 \u00a0Executive Summary On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6735,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[554],"tags":[32,437,260],"class_list":{"0":"post-6011","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-threat-advisory","8":"tag-malware","9":"tag-teardrop","10":"tag-trojan","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>TEARDROP Malware<\/title>\n<meta name=\"description\" content=\"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Threat Advisory: TEARDROP Malware\" \/>\n<meta property=\"og:description\" content=\"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-10T17:40:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"408\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Cyber Threat Advisory: TEARDROP Malware\",\"datePublished\":\"2021-02-10T17:40:54+00:00\",\"dateModified\":\"2024-04-26T20:20:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/\"},\"wordCount\":605,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"keywords\":[\"Malware\",\"TEARDROP\",\"Trojan\"],\"articleSection\":[\"Cyber Threat Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/\",\"name\":\"TEARDROP Malware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"datePublished\":\"2021-02-10T17:40:54+00:00\",\"dateModified\":\"2024-04-26T20:20:54+00:00\",\"description\":\"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-25.jpg\",\"width\":612,\"height\":408,\"caption\":\"computer virus transfer into desktop pc by internet LAN line. double exposure shot of backside of a computer and red binary codes. hacker virus spyware ransomware and security breached concepts.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-threat-advisory\\\/teardrop-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cloud Native\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/cloud-native\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Threat Advisory: TEARDROP Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"TEARDROP Malware","description":"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Threat Advisory: TEARDROP Malware","og_description":"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/","og_site_name":"Infoblox Blog","article_published_time":"2021-02-10T17:40:54+00:00","article_modified_time":"2024-04-26T20:20:54+00:00","og_image":[{"width":612,"height":408,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Cyber Threat Advisory: TEARDROP Malware","datePublished":"2021-02-10T17:40:54+00:00","dateModified":"2024-04-26T20:20:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/"},"wordCount":605,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","keywords":["Malware","TEARDROP","Trojan"],"articleSection":["Cyber Threat Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/","name":"TEARDROP Malware","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","datePublished":"2021-02-10T17:40:54+00:00","dateModified":"2024-04-26T20:20:54+00:00","description":"TEARDROP Malware. On 8 February, the Cybersecurity and Infrastructure Security Agency (CISA) published a Malware Analysis Report (MAR) on malware related to the supply chain attack on SolarWinds\u2019 Orion platform that was discovered in December 2020.1 Cybersecurity company FireEye has named this malware TEARDROP. The report details the analysis of a trojan backdoor that decrypts and executes an embedded payload - Cobalt Strike Beacon Implant (Version 4) - that enables the attacker to remotely control infected systems through an encrypted network tunnel.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-25.jpg","width":612,"height":408,"caption":"computer virus transfer into desktop pc by internet LAN line. double exposure shot of backside of a computer and red binary codes. hacker virus spyware ransomware and security breached concepts."},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/teardrop-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Cloud Native","item":"https:\/\/www.infoblox.com\/blog\/category\/cloud-native\/"},{"@type":"ListItem","position":3,"name":"Cyber Threat Advisory: TEARDROP Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6011"}],"version-history":[{"count":5,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6011\/revisions"}],"predecessor-version":[{"id":6064,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6011\/revisions\/6064"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6735"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}