| ID | X0041 |
| Type | Dropper |
| Aliases | None |
| Platforms | Windows |
| Year | 2018 |
| Associated ATT&CK Software | TEARDROP |
TEARDROP is a memory-only dropper associated with the SolarWinds supply chain compromise.
See ATT&CK: TEARDROP - Techniques Used.
| Name | Use |
|---|---|
| Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm (E1027.m05) | Malware decrypts an embedded code buffer using an XOR-based stream cipher. [1] |
| Command and Control::Ingress Tool Transfer (E1105) | Malware executes the decrypted, embedded code buffer, which is a Cobalt Strike Remote Access Tool (RAT). [1] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Capture Evasion::Memory-only Payload (B0036.001) | Malware loads its payload into memory. [1] |
[1] https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-039b/