Rainyday (Backdoor) – Malware

Rainyday
Type of Malware	Backdoor
Country of Origin	China
Targeted Countries	Vietnam
Date of initial activity	2021
Associated Groups	Firefly Group
Motivation	Espionage
Attack Vectors	Phishing Software Vulnerabilities
Targeted Systems	Windows

Overview

Rainyday malware, attributed to the Firefly APT group, represents a sophisticated and evolving threat in the landscape of cyber espionage. This malware, often deployed as part of a broader attack campaign, targets high-value networks with precision and stealth. Rainyday’s technical sophistication and operational methods make it a notable example of advanced persistent threat (APT) capabilities, highlighting the need for enhanced defensive measures in cybersecurity. The malware operates through a multi-staged approach that includes initial access, execution, persistence, and data exfiltration. It commonly begins its attack vector via spear-phishing campaigns or exploiting vulnerabilities in publicly exposed applications. Once access is gained, Rainyday establishes its foothold by embedding itself within legitimate software or system processes, a technique known as sideloading. This enables the malware to evade detection and persist across system reboots and logins. Rainyday’s execution phase is marked by its use of obfuscated and encrypted payloads. The malware often leverages command-line interfaces and legitimate system binaries to execute its code while remaining under the radar of traditional security measures. Its persistence mechanisms ensure that it maintains access to compromised systems, even if initial vectors are closed. Additionally, Rainyday exhibits advanced capabilities in credential harvesting, lateral movement, and data exfiltration. By employing techniques such as credential dumping and encrypted command and control channels, it effectively gathers and exfiltrates sensitive information from its targets. The malware’s ability to disguise its activities through obfuscation and encryption further complicates detection and response efforts.

Targets

Information.

How they operate

Initial Infection and Deployment Rainyday typically infiltrates target systems through sophisticated techniques that exploit known vulnerabilities or leverage social engineering tactics. One common method involves the use of legitimate software as a vehicle for malware delivery. For instance, Rainyday has been observed using a loader embedded in seemingly benign applications, such as the F-Secure executable, to deploy its payload. This approach allows Rainyday to bypass traditional security measures by disguising its activities within legitimate processes. Execution and Persistence Once deployed, Rainyday malware establishes a foothold on the compromised system by executing its payload with various parameters. The malware operates using a loader named fspmapi.dll, which is strategically sideloaded through the legitimate F-Secure software. This loader identifies and modifies the memory address of the initiating executable to ensure its persistence. By redirecting the execution flow, Rainyday maintains its presence on the system and executes its payload without detection. Obfuscation and Evasion Techniques Rainyday employs sophisticated obfuscation techniques to evade detection by security solutions. The loader uses encryption methods, such as single-byte XOR keys, to obscure the payload and make analysis more challenging. By encrypting the payload, Rainyday minimizes the risk of detection and analysis by security tools, ensuring that its malicious activities remain hidden from conventional monitoring systems. Command and Control Communication Rainyday establishes communication with its command and control (C2) servers to receive instructions and exfiltrate data. The malware uses encrypted channels to communicate with its C2 infrastructure, often disguising its traffic as legitimate web communications. This encryption helps Rainyday evade network monitoring and maintain a covert presence within the target environment. Data Exfiltration and Lateral Movement The malware’s capabilities extend to data exfiltration and lateral movement within the compromised network. Rainyday systematically gathers sensitive information from the infected system and prepares it for extraction. Additionally, it employs techniques for lateral movement, such as exploiting RDP (Remote Desktop Protocol) or leveraging compromised credentials, to expand its reach and access additional systems within the network.

MITRE Tactics and Techniques

Initial Access (TA0001)

Exploit Public-Facing Application (T1190): Rainyday has been observed leveraging vulnerabilities in publicly accessible software to gain initial access. Spearphishing Attachment (T1566.001): The malware may use spearphishing techniques to deliver malicious payloads, exploiting social engineering tactics.

Execution (TA0002)

Command-Line Interface (T1059): Rainyday employs command-line tools for execution and control. It often executes its payload through scripts or command-line parameters. Sideloading (T1203.002): The malware uses sideloading techniques by embedding itself within legitimate software, such as using a loader in F-Secure executables.

Persistence (TA0003)

Boot or Logon Autostart Execution (T1547): Rainyday establishes persistence through modifications to system configurations, ensuring it reactivates after a reboot or logon.

Privilege Escalation (TA0004)

Exploitation of Vulnerability (T1203): By exploiting known vulnerabilities, Rainyday can escalate its privileges within the compromised system.

Defense Evasion (TA0005)

Obfuscated Files or Information (T1027): Rainyday employs encryption and obfuscation techniques to hide its payload and evade detection. The malware uses encryption methods like XOR to obscure its code. Signed Binary Proxy Execution (T1203.003): It may use legitimate signed binaries to execute malicious code, thereby evading security tools.

Credential Access (TA0006)

Credential Dumping (T1003): Rainyday can harvest credentials from the compromised system, facilitating further access and lateral movement.

Discovery (TA0007)

Network Service Scanning (T1046): Rainyday uses network scanning techniques to identify services and expand its reach within the compromised environment. System Information Discovery (T1082): It gathers information about the system to understand its environment and identify valuable targets.

Lateral Movement (TA0008)

Remote File Copy (T1105): The malware may use remote file transfer methods to move laterally within the network, spreading its influence.

Collection (TA0009)

Data Staged (T1074): Rainyday stages collected data for exfiltration, preparing it for transfer to external locations.

Command and Control (TA0011)

Encrypted Channel (T1573): Rainyday communicates with its command and control servers using encrypted channels to avoid detection. Exfiltration (TA0010) Exfiltration Over Command and Control Channel (T1041): It exfiltrates data through the same channels used for C2 communication, making it difficult to detect.