The Raspberry Robin worm has targeted the financial and insurance sectors in Europe, as the malware continues to evolve its post-exploitation capabilities while remaining undetected.
Monday’s release of a new report by Security Joes states, “The malware is distinctive in that it is heavily obfuscated and extremely difficult to disassemble statically.”
The intrusions against Spanish- and Portuguese-speaking organizations are notable for collecting more victim machine data than was previously documented, with the malware now exhibiting sophisticated techniques to evade analysis.
Multiple threat actors use Raspberry Robin, also known as the QNAP worm, to gain a foothold in target networks. The framework has recently been used in attacks against the telecom and government sectors, spreading via infected USB drives and other means.
Microsoft tracks Raspberry Robin operators using the identifier DEV-0856.
The forensic investigation conducted by the Security Joes into one such attack revealed the use of a 7-Zip file that is downloaded from the victim’s browser via social engineering and contains an MSI installer file designed to drop multiple modules.
In another instance, the victim is said to have downloaded a ZIP file through a malicious advertisement hosted on a domain known to distribute adware.
The archive file, stored on a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader concealed by multiple layers of obfuscation and encryption.
The shellcode downloader is primarily designed to retrieve additional executables, but it has also undergone significant upgrades that enable it to profile its victims in order to deliver appropriate payloads, in some cases even serving fake malware.
This entails gathering the host’s Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes since system startup, in addition to the hostname and username information gathered by earlier variants of the malware.
The reconnaissance data is then encrypted with a hard-coded key and transmitted to a command-and-control (C2) server, which response with a Windows binary that is ultimately executed on the compromised system.
“Not only did we discover a version of the malware that is several times more complex, but we also discovered that the C2 beaconing, which previously had a URL containing a plaintext username and hostname, now has a robust RC4 encrypted payload,” said threat researcher Felipe Duarte.
