Cybersecurity Researchers Uncover Evolved Tactics of Infamous Malware Distributor
Cybersecurity experts have unearthed a resurgence of the notorious Raspberry Robin malware, unveiling a novel campaign tactic employing malicious Windows Script Files (WSFs) to propagate the threat since March 2024.
“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” shared insights from HP Wolf Security in a report provided exclusively to The Hacker News.
Raspberry Robin, alias QNAP worm, initially surfaced in September 2021, evolving into a multi-faceted downloader for various malicious payloads in recent years, including SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, while also serving as a precursor for ransomware.
Originally distributed via USB devices housing LNK files to fetch payloads from compromised QNAP devices, the malware has diversified its dissemination tactics to include social engineering and malvertising strategies.
Linked to an emerging threat cluster designated Storm-0856 by Microsoft, Raspberry Robin maintains associations with broader cybercrime syndicates such as Evil Corp, Silence, and TA505.
The newest distribution method revolves around WSF files, accessible for download through diverse domains and subdomains. Although the precise means of directing victims to these URLs remains unclear, suspicions point toward spam or malvertising campaigns.
The intricately obfuscated WSF file functions as a downloader, fetching the primary DLL payload from a remote server via the curl command. Preceding this, a series of anti-analysis and anti-virtual machine assessments are executed to ascertain the absence of a virtualized environment.
Moreover, the malware is engineered to halt execution if the Windows operating system’s build number is earlier than 17063 (released December 2017), or if antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky are detected among running processes.
In a bid to evade detection, Raspberry Robin configures Microsoft Defender Antivirus exclusion rules, appending the entire main drive to the exclusion list to prevent scanning.
Remarkably, the scripts remain undetected by antivirus scanners on VirusTotal, underscoring the malware’s stealth and the severe threat it poses.
“The WSF downloader is heavily obfuscated and uses many anti-analysis techniques enabling the malware to evade detection and slow down analysis,” emphasized HP.
