Cybercriminals have changed a way to spread the Windows worm Raspberry Robin, the HP Threat Research team observed last month.
The HP researchers said in an April 10 blog post that Raspberry Robin was now delivered through Windows Script Files (WSF). These script files are highly obfuscated, which lets the malware evade detection.
The researchers pointed out that Raspberry Robin was known to spread through removable media like USB drives, but its distributors have also experimented with other initial infection file types.
“The WSF downloader is heavily obfuscated and uses a large range of anti-analysis and anti-VM techniques, enabling the malware to evade detection and slow down analysis,” wrote the HP researchers. “This is particularly concerning given that Raspberry Robin has been used as a precursor for human-operated ransomware. Countering this malware early on in its infection chain should be a high priority for security teams.”
Discovered and named by Red Canary in 2021, Raspberry Robin first targeted technology and manufacturing companies, but has become a threat to all types of enterprises.
The HP researchers say that once an attacker infects a system with Raspberry Robin, the malware communicates with its command-and-control servers over Tor, where it can download and execute additional payloads. Raspberry Robin has been used to deliver various families of malware, including SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot. It’s also been a precursor to ransomware.
Threat actors will constantly look for ways to reuse effective malware, said John Gallagher, vice president of Viakoo Labs. Gallagher noted that what’s different than other examples is its going from an IoT-focused delivery QNAP removeable media to more central IT Windows-based systems.
“It could be that IoT-based delivery was the warm-up act to the main event,” said Gallagher. “IoT systems are often on hidden or segmented networks, and by moving to Windows systems there will be more opportunities for exploitation. Most troubling is the sophisticated anti-detection methods used by Raspberry Robin, making testing in a sandbox ineffective. Organizations should consider other restrictions on WSFs until a better method of early detection is available.”
WSFs allow the use of multiple scripting languages and have been used by malware in the past,” added Balazs Greksza, threat response lead at Ontinue.
“One example from last year is Qbot,” said Greksza. “The Raspberry Robin downloader on this particular report seems to evade defenses for the moment. However, the delivered threats have a higher chance of eventually being caught and prevented at runtime.”
