Get in Touch
Raspberry Robin worm
Target Industry
No sector has been identified, however targeting is mostly localised to Europe.
Overview
Severity level: High – Exploitation may result in command and control (C2) compromise, and loss of sensitive data. Compromise requires physical connection.
A relatively new malware, Russian associated Raspberry Robin was first observed back in September 2021 and has since been used in a growing number of attacks. The worm is spread by either social engineered baiting or via infected external drives, and uses Windows Installer to communicate with compromised QNAP-associated domains to download and install malicious DLL files to the infected device.
The payload behaviour follows five distinct steps:
- Infected external device attached to victim’s computer
- Cmd.exe reads and executes malicious file then launches msiexec.exe that reaches out to malicious URL
- Malicious DLL installed from the previously connected URL
- Rundll32.exe launches legitimate Windows utility to execute malicious DLL
- Outbound connections attempted, usually to TOR networks.
Impact
Successful victim exploitation by Raspberry Robin can result in the compromise of the system’s C2 infrastructure. This may lead to further attacks and the loss of sensitive data.
Vulnerability Detection
Current builds of Microsoft Defender will alert users to this exploitation by flagging at stage 3 of the attack chain. Logs may also be searched for unexpected msiexec.exe activity and DLL downloads/connections.
Affected Products
WindowsOS
Containment, Mitigations & Remediations
Correct cyber hygiene measures are key to countering this threat. Unknown external media devices should never be connected to a system without proper measures in place. If you would like to see what is installed on a hardrive safely, it is recommended that this is done within a virtual machine sandbox first, just in case malicious files are present. This will ensure that malware does not infect further.
Additionally, it is strongly recommended that customers have effective antivirus installed so that threats such a s this are detected and stopped before damage can be done.
Indicators of Compromise
Raspberry Robin reported hash values:
1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1
1d2c8db9ac6082f32e9178469c2c416e5e170095d7f84a771dbb91192c681598
cea528052dc6137b9ec1f2b03342921894fd0bb3b21209320bfdcb4ff7d27fb8
6f5ea8383bc3bd07668a7d24fe9b0828
e8f0d33109448f877a0e532b1a27131a
Raspberry Robin associated IPs:
46.11.88.251
77.28.21.107
77.99.129.181
84.221.210.56
85.171.54.231
Threat Landscape
Raspberry Robin has been spreading across Europe since its initial discovery at the tail end of 2021. The spread of this malware has been relatively slow, and highly likely due its deployment method and needing a physical connection to function.
Threat Group
Investigation findings suggest that the Russian cyber crime gang known as Evil Corp is highly likely using Raspberry Robin infrastructure to carry out their latest wave of attacks. However, it is unlikely that Raspberry Robin is exclusive to Evil Corp, based on suggestive reporting.
Mitre Methodologies
T1036 – Masquerading
T1091 – Replication Through Removable Media
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
T1218.011 – System Binary Proxy Execution: Rundll32
T1218.008 – System Binary Proxy Execution: Odbcconf
T1218.007 – System Binary Proxy Execution: Msiexec
T1218.010 – System Binary Proxy Execution: Regsver32
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer
Further Information
Red Canary – Raspberry Robin Blog
Cisco Blogs – Raspberry Robin
