Cybereason recently reported on Raspberry Robin, a worm that uses LNK shortcuts to lure victims and leverages compromised QNAP devices as stagers.
- Raspberry Robin is a worm associated with LNK Worm.
- Raspberry Robin spreads via multiple methods, including LNK files, file archives, USB devices, and ISO files.
- Raspberry Robin leverages QNAP devices as stagers.
- Raspberry Robin uses process injection into legitimate Windows processes to evade detection.
Raspberry Robin is a worm associated with LNK Worm. The worm spreads over USB devices or shared folders, taking advantage of QNAP devices as stagers. It leverages LNK files, file archives, USB devices, and ISO files to infect victims. Most of the Raspberry Robin targets Cybereason observed were located in Europe.
The Raspberry Robin infection chain begins with two files located on a shared drive or external device. One is an LNK file containing a Windows shell command, and the other is a BAT file containing padding data and two commands. The LNK file triggers the initial infection and executes cmd.exe in quiet mode and normal installation mode. It creates another msiexec.exe /V process launched from services.exe. The second process spawns a third msiexec.exe process, which loads a malicious module, which is the malware stage. The malware uses the msiexec.exe LOLBin to download and execute a malicious DLL file on a compromised QNAP device.
Once a machine is infected, Raspberry Robin maintains persistence by running on startup, using a registry run key to automatically load a malicious module through rundll32.exe. In one of the samples analyzed by Cybereason, the module masqueraded as an Apache shared library file, libapriconv-1.dll. In another sample, the module masqueraded as the QT 5 process. That module was signed but not verified by the Windows system. The code signing name used in that sample was OmniContact.
To evade detection, Raspberry Robin uses process injection into legitimate Windows system processes and uses Tor exit nodes to communicate with threat actor infrastructure over ports 80, 443, and 8080.
PolySwarm has multiple samples of Raspberry Robin.
You can use the following CLI command to search for all Raspberry Robin samples in our portal:
$ polyswarm link list -f RaspberryRobin