Raspberry Robin Malware

Trend Micro researchers noticed Raspberry Robin in recent attacks on telecommunications service providers and government networks. The Raspberry Robin malware is now dropping a fake payload to evade detection when it detects it’s being run within sandboxes and debugging tools.

Researchers say, due to the use of.lnk files, it appears to propagate across systems in a worm-like manner through an infected USB.

“We have noted the malware’s capability to hide via multiple layers for obfuscation, as well as its feature of delivering a fake payload once the routine detects sandboxing and analysis solutions”, Trend Micro.

The majority of the group’s victims are telecom companies or governments in Europe, Oceania (Australia), and Latin America.

figure-1-raspberry-robin-malware-targets-telecom-governments
Percentage of Raspberry Robin detections worldwide (TrendMicro)

Raspberry Robin Infection Routine

Raspberry Robin first appears as a shortcut or LNK file when the user plugs the infected USB into the computer. A command line in the LNK file launches a legitimate executable to download a Windows Installer (MSI) package.

figure-2-raspberry-robin-malware-targets-telecom-governments

Different techniques are used to obscure the code, featuring multiple layers containing hard-coded values for decrypting the next one.

Depending on how it is being used on a device, Raspberry Robin has started to drop two separate payloads. The loader distributes a fake payload if the malware recognizes that it is operating in a sandbox, signaling that it is probably being examined. Otherwise, the actual Raspberry Robin malware will be launched.

figure-6-raspberry-robin-malware-targets-telecom-governments
A visual representation of the Raspberry Robin’s packing (Trend Micro)

In this case, two additional layers are included in this false payload: a shellcode with an embedded PE file and a PE file without the MZ header or the PE signature.

Upon execution, it makes an effort to scan the Windows registry in search of infection indicators before starting to gather fundamental system data. The fake payload then makes an attempt to download and run an adware programme called “BrowserAssistant”.

“After dropping a copy of itself, it executes the dropped copy as Administrator using a UAC (User Account Control) bypass technique”, researchers

“It implements a variation of the technique ucmDccwCOMMethod in UACMe, thereby abusing the built-in Windows AutoElevate backdoor”.

Final Word

The malware employs a variety of anti-analysis tactics, but its core payload is layered heavily and demands investigation. As a result, a novice analyst will only discover the false payload, conclude the researchers.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.