Raspberry Robin Circling Entities in Europe

Category: Malware Campaign | Industries: Financial, Insurance | Level: Tactical | Source: Security Joes

The popular Raspberry Robin frameworks continue to be used by threat actors to target organizations. Researchers from Security Joes have observed several cases of the framework being used to attack organizations in Europe, particularly those in financial and insurance, and who are Spanish and Portuguese speaking. The patterns in Raspberry Robin's tactics, techniques, and procedures (TTPs) reported by the security industry, enabled Security Joes to associate their cases with Raspberry Robin despite the malware's complexity and heavy use of obfuscation. Commonly during Raspberry Robin's attack chain, the infection beings with a distributed USB drive or a compressed zip file downloaded from a phishing email or website. The zip would contain MSI or a DLL file, used to connect and download the malware from the attacker's command and control (C2) infrastructure. To avoid detection by security tools, the malware would use code obfuscation and layers of encryption to defend against analysis efforts. In addition, the downloader conducts various checks such as querying the registry to see if the host has been infected prior, and profiles the victim host for the attacker's C2. Raspberry Robin when downloaded, uses system binaries such as msiexec, rundll32, or regsvr32 to execute.

Anvilogic Scenario:

• Raspberry Robin Abuses MsiExec

Anvilogic Use Cases:

• Compressed File Execution
• MSIExec Install MSI File
• New AutoRun Registry Key

‍