Malware, Critical Infrastructure Security

Fake payload deployed by Raspberry Robin in new attacks

New Raspberry Robin malware attacks against government systems and telecommunication service providers involved the delivery of a fake payload aimed at bypassing detection and confusing researchers, according to BleepingComputer. While Raspberry Robin has already been heavily obfuscated to prevent detection, the malware has begun deploying a fake payload if executed within a sandbox, and the real malware if run in other environments, a Trend Micro report showed. Researchers discovered that the fake payload had two more layers a PE file-laced shellcode and a PE file with no MZ header and PE signature which eventually attempts the download and execution of the "BrowserAssistant" adware in an effort to deceive researchers. Meanwhile, the actual malware payload features 10 obfuscation layers to further hinder analysis. Both Raspberry Robin and LockBit were found to have similar tactics, techniques, and procedures, with Raspberry Robin sharing the threat group's use of the ICM calibration approach and "TreadHideFromDebugger" tool for privilege escalation and anti-debugging, respectively.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.