The Raspberry Robin worm has been utilised in attacks from telecommunications and govt place of work units throughout Latin America, Australia, and Europe considering that at the very least September 2022.
“The primary payload itself is packed with a lot more than 10 levels for obfuscation and is able of delivering a pretend payload after it detects sandboxing and security analytics instruments,” Pattern Micro researcher Christopher So reported in a complex examination printed Tuesday.
A the vast majority of the infections have been detected in Argentina, adopted by Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia.
Raspberry Robin, attributed to an activity cluster tracked by Microsoft as DEV-0856, is currently being significantly leveraged by a number of menace actors as an initial accessibility mechanism to supply payloads these as LockBit and Clop ransomware.
The malware is recognised for relying on contaminated USB drives as a distribution vector to download a rogue MSI installer file that deploys the primary payload dependable for facilitating put up-exploitation.
Even further investigation of Raspberry Robin reveals the use of significant obfuscation to stop analysis, with the malware “composed of two payloads embedded in a payload loader packed six instances.”
The payload loader, for its part, is orchestrated to load the decoy payload, an adware dubbed BrowserAssistant, to toss off detection attempts.
Should really no sandboxing and investigation be observed, the reputable payload is mounted and proceeds to hook up to a hard-coded .onion address using a customized TOR client embedded within just it to await further more instructions.
The TOR client approach masquerades as reputable Windows procedures like dllhost.exe, regsvr32.exe, and rundll32.exe, after once again underscoring the significant endeavours produced by the risk actor to fly less than the radar.
What’s more, the malware’s serious routine is operate in Session , a specialised Windows session reserved for products and services and other non-interactive person apps to mitigate security risks this kind of as shatter attacks.
Trend Micro mentioned it identified similarities in a privilege escalation and an anti-debugging technique used by Raspberry Robin and LockBit ransomware, hinting at a likely link concerning the two felony actors.
“The team at the rear of Raspberry Robin is the maker of some of the applications LockBit is also using,” the enterprise theorized, adding it alternatively “availed of the providers of the affiliate dependable for the methods made use of by LockBit.”
That owning reported, the intrusions surface to be a reconnaissance operation, as no facts is returned from the TOR area, suggesting that the team powering the malware is “testing the waters to see how much its deployments can distribute.”
Located this write-up appealing? Stick to us on Twitter and LinkedIn to browse additional exclusive material we put up.
Some pieces of this report are sourced from: