Raspberry Robin malware used in attacks against Telecom and Governments

The Raspberry Robin worm attacks aimed at telecommunications and government office systems across Latin America, Australia, and Europe.

Researchers from Trend Micro have uncovered a Raspberry Robin worm campaign targeting telecommunications and government office systems across Latin America, Australia, and Europe.

The campaign has been active since at least September 2022, most of the infections have been observed in Argentina (34,8%), followed by Australia (23,2%).

“We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September.” reads the report published by Trend Micro. “The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.”

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Then msiexec.exe launches a legitimate Windows utility, fodhelper.exe, which in turn run rundll32.exe to execute a malicious command. Experts pointed out that processes launched by a fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

The worm was attributed by IBM to the cybercrime gang Evil Corp, however, it is used by multiple threat actors to deliver malicious payloads such as the Clop ransomware.

The analysis conducted by Trend Micro revealed that the main malware routine contains both the real and fake payloads. The fake payload is loaded once the malicious code detects sandboxing tools, meanwhile the real payload remains obfuscated under packing layers and subsequently connects to the Tor network.

Once installed the malware contact the hard-coded .onion address using an embedded custom TOR client designed to communicate with the real payload using shared memory and it to await further commands.

Upon starting the Tor client process, the real payload randomly uses a name of a legitimate Windows processes like dllhost.exe, regsvr32.exe, and rundll32.exe.

The real routine of the malware runs in a specialized Windows session known as Session 0.

Trend Micro experts discovered multiple similarities with privilege escalation and an anti-debugging technique implemented by LockBit ransomware leading to these hypothesis:

• The group behind LockBit is also behind Raspberry Robin.
• The group behind Raspberry Robin is the maker of some of the tools LockBit is also using.
• The group behind Raspberry Robin availed of the services of the affiliate responsible for the techniques used by LockBit.

“owever, even if Raspberry Robin uses the same techniques, we cannot conclude for certain that the actors behind LockBit and Raspberry Robin are the same.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]