Raspberry Robin malware now targets telecom, government entities in Latin America, Oceania, Europe

Trend Micro detected samples of the Raspberry Robin malware spreading across most of the group’s victims, largely from government agencies and telecommunication entities across Latin America, Oceania (Australia), and Europe, beginning in September. The main payload itself is packed with more than ten layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. 

“We found a malware sample allegedly capable of connecting to the Tor network to deliver its payloads,” Christopher So, a Trend Micro researcher, wrote in a company blog post on Tuesday. “Our initial analysis of the malware, which compromised a number of organizations toward the end of September, showed that while the main malware routine contains both the real and fake payloads, it loads the fake payload once it detects sandboxing tools to evade security and analytics tools from detecting and studying the malware’s real routine. Meanwhile, the real payload remains obfuscated under packing layers and subsequently connects to the Tor network.” 

In May this year, Red Canary Intelligence disclosed that it had been tracking a cluster of malicious activity that it calls ‘Raspberry Robin’ and observed to target organizations with ties to technology and manufacturing, though it’s not yet clear if there are other links among victims.

Trend Micro now assessed that the campaign and malware, identified as Raspberry Robin by Red Canary (detected by Trend Micro as Backdoor.Win32.RASPBERRYROBIN.A), seemingly spread to systems with worm-like capabilities (due to the use of [dot]lnk files) through an infected USB (universal serial bus).

So added that given the malware’s layering features and the stages of its infection routine, “we are still confirming its main motivation for deployment. Currently, it’s possible motivation ranges from theft to cyberespionage. So far, we have noted the malware’s capability to hide itself via multiple layers for obfuscation, as well as its feature of delivering a fake payload once the routine detects sandboxing and analysis solutions. The group behind Raspberry Robin appears to be testing the waters to see how far its deployments can spread.”

Trend Micro highlighted that to prevent researchers from analyzing this malware, Raspberry Robin’s main malware itself is packed multiple times, with each layer heavily obfuscated. “The code is obfuscated in different ways. Starting from the third layer, each subroutine can be thought of as a state machine and implemented as a loop. At the start of each subroutine, the table of values is decrypted. This table of values serves as a container for constant values used in the subroutine, as well as the state transition table,” the post added.

“Another obfuscation technique used to hide the main malware obfuscates the call to other subroutines,” according to So. “In regular programs, the address of another subroutine is in the call itself. In this malware, however, the address is computed using hard-coded values and values from the previously mentioned decrypted table of values. The result of this is placed in a register, and an indirect call is made using the register.”

Trend Micro also pointed out that the malware is composed of two payloads embedded in a payload loader packed six times. “We noted layers 3 and 5 as capable of anti-analysis techniques. Meanwhile, we found that not all layers have unique packers. The fourth and seventh layers are identical, as well as the tenth and thirteenth. The packing of the eighth and fourteenth layers are also similar. This repeated use of packers implies that the group is using a separate packing program.” 

So added that “we are continuing with our analysis to see if this program is their own or if it is outsourced to other groups, as this technique can be indicative of the group’s future use of these same packers. It is also possible for these same packers to be replaced with variations in patterns. On layer 8, the payload loader, the execution splits into two paths. If the malware detects that it is being analyzed, it loads the fake payload. Otherwise, it loads the real payload.”

Trend Micro analyzed that running in Session 0, the real payload attempts to connect to the hard-coded Tor addresses, where the connections are made in another process. “For the real payload to facilitate the exchange of information and the Tor-connecting process, a shared-named memory map is created. The Tor address is written to offset 14h of the shared memory, hard-coded but encrypted within the sample itself,” the post added.

“In starting its Tor client process, the real payload randomly selects a name among these first – dllhost[dot]exe, regsvr32[dot]exe, and rundll32[dot]exe,” So wrote. “It then creates a suspended process, injects the code of the Tor client, resumes the process, and waits for data from the Tor client. As far as what the sample does to the received data, we have not seen any use of it in the wild so far since we did find that the buffer containing the data is freed without using it,” he added.

The Tor client itself is composed of four layers. The first two layers are packer codes. The third layer retrieves the Tor address from the shared memory, unpacks the fourth layer, and calls the fourth layer to do the actual Tor communication. The data received by the fourth layer is encrypted by the third layer and written to the shared memory, to be read by the main routine.

So concluded that noticeably the malware uses many anti-analysis techniques, while its main payload is packed with many layers that require analysis. “Therefore, an analyst who lacks experience will find only the fake payload. Clearly, the actor behind this has made considerable effort to hinder analysis.”

“While the technique of packing the codes is not unique, some of the packing layers have very similar codes and can be grouped into packer families. The style of packing is also similar on all layers except for the first two: An executable is stripped of some header information, encrypted, and added to the unpacking code,” So added. “The group must therefore be using something akin to a packed sample generator, which takes a payload executable and produces a multi-layered packed sample.” 

On the surface, it looks like the group could be providing this as ‘packing service’ or ‘executable packing-as-a-service’ (if there is such a term), and the people behind this could be associated with the threat actors behind LockBit, So wrote. “We continue to analyze and document all the anti-debugging techniques and layers used in these samples and incidents.”

He also added that the use of Session 0 is also sophisticated. “The purpose of Session 0 Isolation is to increase system security by preventing services running in the local system account having user interactions. Isolating services in their own non-interactive sections inaccessible by regular processes will decrease the chances of abuse to elevate another piece of (malicious) code’s privileges. Hence, having access to Session 0 would mean privilege escalation. However, an attacker must use privilege escalation techniques to gain access.”

So also pointed out that the ICM calibration technique was previously seen in the LockBit ransomware as far as privilege escalation is concerned. “There is also the similarity of the anti-debugging technique using ThreadHideFromDebugger. However, even if Raspberry Robin uses the same techniques, we cannot conclude for certain that the actors behind LockBit and Raspberry Robin are the same.” 

As LockBit operates as a ransomware-as-a-service (RaaS) group, it could be possible that the group behind LockBit is also behind Raspberry Robin, or the group behind Raspberry Robin is the maker of some of the tools LockBit is also using, or the group behind Raspberry Robin availed of the services of the affiliate responsible for the techniques used by LockBit.

“Given that the returned data is empty and was not used, it seems that the actor has been trying to see how far its campaign operation can spread, most likely as part of its reconnaissance effort,” according to So. “We can thus consider this an indication of a possible routine for the group’s long-term plans, as well as a possible precursor to a follow-up operation in the future.”

Last month, Mandiant released details on identified cyber espionage activity, currently being tracked as UNC4191, which leverages USB devices as an initial infection vector, and concentrates on the Philippines. These operations have affected various public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and the APJ (Asia Pacific and Japan) region.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.