1. Home
  2. Software
  3. Raspberry Robin

Raspberry Robin

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]

ID: S1130
Type: MALWARE
Platforms: Windows
Contributors: Swachchhanda Shrawan Poudel
Version: 1.0
Created: 17 May 2024
Last Modified: 23 July 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Raspberry Robin will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.[1]
.008 伪装: Masquerade File Type

Raspberry Robin has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.[2]
Enterprise T1574 劫持执行流

Raspberry Robin will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\Microsoft\ to attempt privilege elevation and defense evasion if not running in Session 0.[1]
.002 DLL Side-Loading

Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.[3]
Enterprise T1140 反混淆/解码文件或信息

Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce{random value name} = "rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s "{dropped copy path and file name}"".[1]
Enterprise T1059 命令与脚本解释器

Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.[3]
.003 Windows Command Shell

Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.[3]
Enterprise T1071 应用层协议

Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.[2][1][3]
.001 Web Protocols

Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.[2] Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.[3]
Enterprise T1480 执行保护

Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.[1] Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.[3]
Enterprise T1083 文件和目录发现

Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.[3]
Enterprise T1027 混淆文件或信息

Raspberry Robin uses mixed-case letters for filenames and commands to evade detection.[2]
.002 Software Packing

Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.[1]
Enterprise T1548 滥用权限提升控制机制

Raspberry Robin implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges.[1]
.002 Bypass User Account Control

Raspberry Robin will use the legitimate Windows utility fodhelper.exe to run processes at elevated privileges without requiring a User Account Control prompt.[2]
Enterprise T1204 用户执行

Raspberry Robin execution can rely on users directly interacting with malicious LNK files.[5]
Enterprise T1070 .004 移除指标: File Deletion

Raspberry Robin can delete its initial delivery script from disk during execution.[3]
.009 移除指标: Clear Persistence

Raspberry Robin uses a RunOnce Registry key for persistence, where the key is removed after its use on reboot then re-added by the malware after it resumes execution.[5]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Raspberry Robin uses msiexec.exe for post-installation communication to command and control infrastructure.[2] Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.[1]
.008 系统二进制代理执行: Odbcconf

Raspberry Robin uses the Windows utility odbcconf.exe to execute malicious commands, using the regsvr flag to execute DLLs and bypass application control mechanisms that are not monitoring for odbcconf.exe abuse.[2]
.010 系统二进制代理执行: Regsvr32

Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.[2]
.011 系统二进制代理执行: Rundll32

Raspberry Robin uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with Tor nodes.[2]
Enterprise T1082 系统信息发现

Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.[3]
Enterprise T1033 系统所有者/用户发现

Raspberry Robin determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges.[1]
Enterprise T1102 网络服务

Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.[3]
Enterprise T1583 .001 获取基础设施: Domains

Raspberry Robin uses newly-registered domains containing only a few characters for command and controll purposes, such as "v0[.]cx".[2]
.008 获取基础设施: Malvertising

Raspberry Robin variants have been delivered via malicious advertising items that, when interacted with, download a malicious archive file containing the initial payload, hosted on services such as Discord.[3]
Enterprise T1497 虚拟化/沙盒规避

Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.[1]
.001 System Checks

Raspberry Robin performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.[3]
Enterprise T1622 调试器规避

Raspberry Robin leverages anti-debugging mechanisms through the use of ThreadHideFromDebugger.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

Raspberry Robin attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.[1][3]
Enterprise T1105 输入工具传输

Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's %AppData% folder.[3][2]
Enterprise T1057 进程发现

Raspberry Robin can identify processes running on the victim machine, such as security software, during execution.[1][3]
Enterprise T1055 .012 进程注入: Process Hollowing

Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.[1]
Enterprise T1559 进程间通信

Raspberry Robin contains an embedded custom Tor network client that communicates with the primary payload via shared process memory.[1]
.001 Component Object Model

Raspberry Robin creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.[1]
Enterprise T1091 通过可移动媒体复制

Raspberry Robin has historically used infected USB media to spread to new victims.[1][2]
Enterprise T1571 非标准端口

Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.[2]

References

  1. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  2. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  3. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  1. Jan Vojtěšek. (2022, September 22). Raspberry Robin’s Roshtyak: A Little Lesson in Trickery. Retrieved May 17, 2024.
  2. Microsoft Threat Intelligence. (2022, October 27). Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity. Retrieved May 17, 2024.