New Raspberry Robin malware attacks against government systems and telecommunication service providers involved the delivery of a fake payload aimed at bypassing detection and confusing researchers, according to BleepingComputer.
While Raspberry Robin has already been heavily obfuscated to prevent detection, the malware has begun deploying a fake payload if executed within a sandbox, and the real malware if run in other environments, a Trend Micro report showed.
Researchers discovered that the fake payload had two more layers a PE file-laced shellcode and a PE file with no MZ header and PE signature which eventually attempts the download and execution of the "BrowserAssistant" adware in an effort to deceive researchers. Meanwhile, the actual malware payload features 10 obfuscation layers to further hinder analysis.
Both Raspberry Robin and LockBit were found to have similar tactics, techniques, and procedures, with Raspberry Robin sharing the threat group's use of the ICM calibration approach and "TreadHideFromDebugger" tool for privilege escalation and anti-debugging, respectively.